Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 20, 2021, 8:09 a.m.	July 20, 2021, 8:14 a.m.

Size	554.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`44b42e92ffe33907c539d1135bb05239`
SHA256	`2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1`
CRC32	`8B5C6936`
ssdeep	`6144:aJOnI2caT+aLwjBbZoTFS8nGzIgPc1iq478mSvL5Fx7b06+Mt6twbZD8c+XRs9L6:ViaT+aLwQ/yX78l+Btth4G`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

update.exe "C:\Users\test22\AppData\Local\Temp\update.exe"
664
taskhost.exe "taskhost.exe"
1120
dwm.exe "C:\Windows\system32\Dwm.exe"
1212
explorer.exe C:\Windows\Explorer.EXE
1248
mobsync.exe C:\Windows\System32\mobsync.exe -Embedding
1616
cmd.exe C:\Windows\system32\cmd.exe /c "C:\Python27\click\ZeroAI_Click.pyw"
324
- pw.exe "C:\Python27\pw.exe" "C:\Python27\click\ZeroAI_Click.pyw"
  208
conhost.exe \??\C:\Windows\system32\conhost.exe
352
mobsync.exe C:\Windows\System32\mobsync.exe -Embedding
2612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 20, 2021, 8:09 a.m.	computer_name: TEST22-PC	1	1	0

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ July 20, 2021, 8:09 a.m.	stacktrace: update+0x7cbcd @ 0x47cbcd exception.instruction_r: 8a 08 40 84 c9 75 f9 2b c2 c7 45 fc fe ff ff ff exception.symbol: lstrlen+0x1a lstrcmpW-0x3f kernelbase+0xa34a exception.instruction: mov cl, byte ptr [eax] exception.module: KERNELBASE.dll exception.exception_code: 0xc0000005 exception.offset: 41802 exception.address: 0x748aa34a registers.esp: 41287472 registers.edi: 2192375825 registers.eax: 2192375825 registers.ebp: 41287512 registers.edx: 2192375826 registers.ebx: 45465996 registers.esi: 4704206 registers.ecx: 147	1
__exception__ July 20, 2021, 8:09 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x748ab727 registers.esp: 1637432 registers.edi: 1637620 registers.eax: 1637432 registers.ebp: 1637512 registers.edx: 0 registers.ebx: 9625416 registers.esi: 1637620 registers.ecx: 2	1
__exception__ July 20, 2021, 8:09 a.m.	stacktrace: 0x2541304 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 17 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2541304 registers.r14: 0 registers.r15: 65826 registers.rcx: 48 registers.rsi: 2149646339 registers.r10: 0 registers.rbx: 0 registers.rsp: 48886984 registers.r11: 48887984 registers.r8: 1997177228 registers.r9: 0 registers.rdx: 8796092682832 registers.r12: 4294967295 registers.rbp: 48887104 registers.rdi: 0 registers.rax: 39064320 registers.r13: 8791631979200	1
__exception__ July 20, 2021, 8:09 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4da49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff0973c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefdba62ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7feff15b949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefdba21d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefda5d8a2 ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7fefda61bb3 ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7fefda61b22 CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7fefda617eb CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7fefda61417 CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7fefda594fa CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7fefda59428 CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7fefda59b49 CoRegisterMessageFilter+0x153b CoUninitialize-0x3341 ole32+0x1dfd3 @ 0x7fefda4dfd3 CoRegisterMessageFilter+0x11c0 CoUninitialize-0x36bc ole32+0x1dc58 @ 0x7fefda4dc58 CoRegisterMessageFilter+0xb97 CoUninitialize-0x3ce5 ole32+0x1d62f @ 0x7fefda4d62f CoRegisterMessageFilter+0x13fe CoUninitialize-0x347e ole32+0x1de96 @ 0x7fefda4de96 ObjectStublessClient32+0x73c2 CoDisconnectContext-0x9cb6 ole32+0x4aec2 @ 0x7fefda7aec2 CoUninitialize+0x1010 CoInitializeEx-0x70c ole32+0x22324 @ 0x7fefda52324 CoRegisterMessageFilter+0x3c30 CoUninitialize-0xc4c ole32+0x206c8 @ 0x7fefda506c8 CoRegisterMessageFilter+0x3c01 CoUninitialize-0xc7b ole32+0x20699 @ 0x7fefda50699 CoDisableCallCancellation+0x3fc ObjectStublessClient24-0xe4 ole32+0xe7ac @ 0x7fefda3e7ac CoUninitialize+0xa6 CoInitializeEx-0x1676 ole32+0x213ba @ 0x7fefda513ba New_ole32_CoUninitialize+0x57 New_ole32_OleConvertOLESTREAMToIStorage-0x53 @ 0x7441774b mobsync+0x6840 @ 0xff2e6840 mobsync+0x70ae @ 0xff2e70ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7689652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76fac521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80010012 exception.offset: 42141 exception.address: 0x7fefd4da49d registers.r14: 0 registers.r15: 0 registers.rcx: 2088832 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2095648 registers.r11: 2090592 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1997880286 registers.r13: 0	1
__exception__ July 20, 2021, 8:09 a.m.	stacktrace: Tk_MainLoop+0x122 TkDeleteThreadExitHandler-0x7e tk85+0xc3d02 @ 0x102e3d02 XSetSelectionOwner+0x3a01 Tk_3DHorizontalBevel-0x93f tk85+0x13d601 @ 0x1035d601 Tk_PkgInitStubsCheck-0x30c31 tk85+0x159f @ 0x1022159f LdrShutdownProcess+0x1d1 NtdllDialogWndProc_W-0x313 ntdll+0x24371 @ 0x76fa4371 RtlExitUserProcess+0x90 LdrShutdownProcess-0x20 ntdll+0x24180 @ 0x76fa4180 _get_pgmptr+0x257 exit-0x55 msvcr90+0x1b8b @ 0x73401b8b pw+0x123a @ 0x1cef123a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7689652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76fac521 exception.instruction_r: ff 90 68 03 00 00 4c 8b 1d 61 a3 0d 00 4c 89 5c exception.symbol: Tk_MainLoop+0x122 TkDeleteThreadExitHandler-0x7e tk85+0xc3d02 exception.instruction: call qword ptr [rax + 0x368] exception.module: tk85.dll exception.exception_code: 0xc0000005 exception.offset: 802050 exception.address: 0x102e3d02 registers.r14: 0 registers.r15: 0 registers.rcx: 271465696 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2488752 registers.r11: 646 registers.r8: 1 registers.r9: 3871472 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 region_size: 17358848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e3000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2021, 8:10 a.m.	process_identifier: 1248 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000007140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (36 events)

Time & API	Arguments	Status	Return
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: smss.exe process_identifier: 228	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: winlogon.exe process_identifier: 408	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: services.exe process_identifier: 444	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: svchost.exe process_identifier: 576	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: svchost.exe process_identifier: 648	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: svchost.exe process_identifier: 728	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: svchost.exe process_identifier: 792	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: svchost.exe process_identifier: 840	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: audiodg.exe process_identifier: 908	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: spoolsv.exe process_identifier: 312	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: svchost.exe process_identifier: 1044	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: taskhost.exe process_identifier: 1120	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: dwm.exe process_identifier: 1212	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: explorer.exe process_identifier: 1248	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: IMEDICTUPDATE.EXE process_identifier: 1444	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: svchost.exe process_identifier: 1828	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: pw.exe process_identifier: 1952	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: SearchIndexer.exe process_identifier: 2020	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: mobsync.exe process_identifier: 1616	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: pw.exe process_identifier: 1760	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: taskhost.exe process_identifier: 1368	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: wsqmcons.exe process_identifier: 1528	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: sdclt.exe process_identifier: 1096	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: cmd.exe process_identifier: 324	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: SearchProtocolHost.exe process_identifier: 1796	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: conhost.exe process_identifier: 352	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: SearchFilterHost.exe process_identifier: 1940	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: update.exe process_identifier: 664	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000001e0 process_name: pw.exe process_identifier: 208	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000003e4 process_name: svchost.exe process_identifier: 2556	1	1
Process32NextW July 20, 2021, 8:09 a.m.	snapshot_handle: 0x000003e4 process_name: mobsync.exe process_identifier: 2612	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00640000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00013000', u'virtual_address': u'0x0007a000', u'entropy': 7.87831034616846, u'name': u'.rsrc', u'virtual_size': u'0x00013000'}

entropy

7.87831034617

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 20, 2021, 8:09 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 20, 2021, 8:09 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Allocates execute permission to another process indicative of possible code injection (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1248 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1952 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1616 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 324 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 352 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000038c	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000038c	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1248 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05430000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1952 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 2612 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\system.ini

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (24 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 664 created a remote thread in non-child process 1120
Process injection	Process 664 created a remote thread in non-child process 1212
Process injection	Process 664 created a remote thread in non-child process 1248
Process injection	Process 664 created a remote thread in non-child process 1952
Process injection	Process 664 created a remote thread in non-child process 1616
Process injection	Process 664 created a remote thread in non-child process 1760
Process injection	Process 664 created a remote thread in non-child process 324
Process injection	Process 664 created a remote thread in non-child process 352
Process injection	Process 664 created a remote thread in non-child process 208
Process injection	Process 664 created a remote thread in non-child process 2612
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1120 function_address: 0x01ea0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001ec	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1212 function_address: 0x00330000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001ec	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1248 function_address: 0x03200000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000270	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1952 function_address: 0x00570000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001ec	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1616 function_address: 0x00170000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000002a4	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1760 function_address: 0x02740000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000270	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 324 function_address: 0x002b0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000002a4	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 352 function_address: 0x00110000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000002a4	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 208 function_address: 0x005f0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000270	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1212 function_address: 0x02240000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000003e8	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1248 function_address: 0x05430000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000003ec	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1952 function_address: 0x01dc0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000003e8	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 1760 function_address: 0x02760000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000003ec	0	0
CreateRemoteThread July 20, 2021, 8:09 a.m.	thread_identifier: 0 process_identifier: 2612 function_address: 0x002e0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000003ec	0	0

Manipulates memory of a non-child process indicative of process injection (27 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 664 manipulating memory of non-child process 1120
Process injection	Process 664 manipulating memory of non-child process 1212
Process injection	Process 664 manipulating memory of non-child process 1248
Process injection	Process 664 manipulating memory of non-child process 1952
Process injection	Process 664 manipulating memory of non-child process 1616
Process injection	Process 664 manipulating memory of non-child process 1760
Process injection	Process 664 manipulating memory of non-child process 324
Process injection	Process 664 manipulating memory of non-child process 352
Process injection	Process 664 manipulating memory of non-child process 664
Process injection	Process 664 manipulating memory of non-child process 208
Process injection	Process 664 manipulating memory of non-child process 2612
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1248 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1952 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ec	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1616 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 324 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 352 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000038c	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000038c	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1248 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05430000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1952 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 1760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0	0
NtAllocateVirtualMemory July 20, 2021, 8:09 a.m.	process_identifier: 2612 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0	0

Modifies security center warnings (12 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Disables Windows Security features (10 events)

description	attempts to disable user access control	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
description	disables user access control notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify
description	attempts to disable windows firewall	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
description	attempts to disable firewall exceptions	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.Sality.PE
Lionic	Worm.Win32.WBNA.o!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Win32.Sality.3
FireEye	Generic.mg.44b42e92ffe33907
CAT-QuickHeal	W32.Sality.U
McAfee	W32/Sality.gen.z
Cylance	Unsafe
Zillya	Virus.Sality.Win32.25
Sangfor	Worm.Win32.WBNA.roc
K7AntiVirus	Virus ( f10001071 )
Alibaba	Virus:Win32/Sality.14ba787a
K7GW	Virus ( f10001071 )
Cybereason	malicious.2ffe33
Baidu	Win32.Virus.Sality.gen
Cyren	W32/Sality.gen2
Symantec	W32.Sality.AE
ESET-NOD32	Win32/Sality.NBA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Worm.Win32.WBNA.roc
BitDefender	Win32.Sality.3
NANO-Antivirus	Virus.Win32.Sality.beygb
Avast	Win32:SaliCode [Inf]
Tencent	Virus.Win32.TuTu.Gen.200004
Ad-Aware	Win32.Sality.3
TACHYON	Virus/W32.Sality.D
Sophos	Mal/Generic-R + Mal/Sality-D
Comodo	Virus.Win32.Sality.gen@1egj5j
DrWeb	Win32.Sector.30
VIPRE	Virus.Win32.Sality.at (v)
TrendMicro	PE_SALITY.RL
McAfee-GW-Edition	BehavesLike.Win32.Infected.hh
Emsisoft	Win32.Sality.3 (B)
Ikarus	Trojan-Downloader
Jiangmin	Win32/HLLP.Kuku.poly2
Avira	W32/Sality.AT
Antiy-AVL	Trojan/Generic.ASVirus.C4
Microsoft	Virus:Win32/Sality.AT
ViRobot	Win32.Sality.Gen.A
GData	Win32.Sality.3
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Kashu.E
Acronis	suspicious
BitDefenderTheta	AI:FileInfector.A5ECCBAB0E
MAX	malware (ai score=83)
VBA32	Virus.Win32.Sality.bakc
TrendMicro-HouseCall	PE_SALITY.RL
Rising	Virus.Sality!1.A5BD (CLASSIC)
Yandex	Trojan.GenAsa!IQNcZjUhnbU

update.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All