Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 20, 2021, 3:41 p.m.	July 20, 2021, 3:43 p.m.

Size	554.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`44b42e92ffe33907c539d1135bb05239`
SHA256	`2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1`
CRC32	`8B5C6936`
ssdeep	`6144:aJOnI2caT+aLwjBbZoTFS8nGzIgPc1iq478mSvL5Fx7b06+Mt6twbZD8c+XRs9L6:ViaT+aLwQ/yX78l+Btth4G`
Yara	IsPE32 - (no description) Generic_Malware_Zero - Generic Malware PE_Header_Zero - PE File Signature

update.exe "C:\Users\test22\AppData\Local\Temp\update.exe"
1108
taskhost.exe "taskhost.exe"
1284
dwm.exe "C:\Windows\system32\Dwm.exe"
1496
explorer.exe C:\Windows\Explorer.EXE
1848
SearchProtocolHost.exe "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3832866432-4053218753-3017428901-10012_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3832866432-4053218753-3017428901-10012 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2120
mobsync.exe C:\Windows\System32\mobsync.exe -Embedding
1068

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 20, 2021, 3:41 p.m.	computer_name: TEST22-PC	1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ July 20, 2021, 3:41 p.m.	stacktrace: update+0x7cbcd @ 0x47cbcd exception.instruction_r: 8a 08 40 84 c9 75 f9 2b c2 c7 45 fc fe ff ff ff exception.symbol: lstrlen+0x1a lstrcmpW-0x3f kernelbase+0xa34a exception.instruction: mov cl, byte ptr [eax] exception.module: KERNELBASE.dll exception.exception_code: 0xc0000005 exception.offset: 41802 exception.address: 0x76a7a34a registers.esp: 40304432 registers.edi: 2191982609 registers.eax: 2191982609 registers.ebp: 40304472 registers.edx: 2191982610 registers.ebx: 45072780 registers.esi: 4704206 registers.ecx: 146	1
__exception__ July 20, 2021, 3:41 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1637432 registers.edi: 1637620 registers.eax: 1637432 registers.ebp: 1637512 registers.edx: 0 registers.ebx: 2874000 registers.esi: 1637620 registers.ecx: 2	1
__exception__ July 20, 2021, 3:41 p.m.	stacktrace: 0x2791304 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 79 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2791304 registers.r14: 0 registers.r15: 65646 registers.rcx: 48 registers.rsi: 2149646339 registers.r10: 0 registers.rbx: 0 registers.rsp: 48363272 registers.r11: 48364272 registers.r8: 1999536524 registers.r9: 0 registers.rdx: 8796092658256 registers.r12: 4294967295 registers.rbp: 48363392 registers.rdi: 0 registers.rax: 41489152 registers.r13: 8791671956160	1
__exception__ July 20, 2021, 3:41 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff1673c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7feff3f62ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7feff22b949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feff3f21d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feff2ad8a2 ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7feff2b1bb3 ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7feff2b1b22 CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7feff2b17eb CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7feff2b1417 CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7feff2a94fa CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7feff2a9428 CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7feff2a9b49 CoRegisterMessageFilter+0x153b CoUninitialize-0x3341 ole32+0x1dfd3 @ 0x7feff29dfd3 CoRegisterMessageFilter+0x11c0 CoUninitialize-0x36bc ole32+0x1dc58 @ 0x7feff29dc58 CoRegisterMessageFilter+0xb97 CoUninitialize-0x3ce5 ole32+0x1d62f @ 0x7feff29d62f CoRegisterMessageFilter+0x13fe CoUninitialize-0x347e ole32+0x1de96 @ 0x7feff29de96 ObjectStublessClient32+0x73c2 CoDisconnectContext-0x9cb6 ole32+0x4aec2 @ 0x7feff2caec2 CoUninitialize+0x1010 CoInitializeEx-0x70c ole32+0x22324 @ 0x7feff2a2324 CoRegisterMessageFilter+0x3c30 CoUninitialize-0xc4c ole32+0x206c8 @ 0x7feff2a06c8 CoRegisterMessageFilter+0x3c01 CoUninitialize-0xc7b ole32+0x20699 @ 0x7feff2a0699 CoDisableCallCancellation+0x3fc ObjectStublessClient24-0xe4 ole32+0xe7ac @ 0x7feff28e7ac CoUninitialize+0xa6 CoInitializeEx-0x1676 ole32+0x213ba @ 0x7feff2a13ba New_ole32_CoUninitialize+0x57 New_ole32_OleConvertOLESTREAMToIStorage-0x53 @ 0x7443774b mobsync+0x6840 @ 0xffcd6840 mobsync+0x70ae @ 0xffcd70ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80010012 exception.offset: 42141 exception.address: 0x7fefd6da49d registers.r14: 0 registers.r15: 0 registers.rcx: 2679424 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2686240 registers.r11: 2681184 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1997476204 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 region_size: 17358848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ae4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e22000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70a61000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 20, 2021, 3:42 p.m.	total_number_of_free_bytes: 13728751616 free_bytes_available: 13728751616 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW July 20, 2021, 3:41 p.m.	snapshot_handle: 0x000001c0 process_name: mobsync.exe process_identifier: 1068	1	1
Process32NextW July 20, 2021, 3:41 p.m.	snapshot_handle: 0x000001c0 process_name: pw.exe process_identifier: 3064	1	1
Process32NextW July 20, 2021, 3:41 p.m.	snapshot_handle: 0x000001c0 process_name: taskhost.exe process_identifier: 2764	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x026f0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00013000', u'virtual_address': u'0x0007a000', u'entropy': 7.87831034616846, u'name': u'.rsrc', u'virtual_size': u'0x00013000'}

entropy

7.87831034617

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 20, 2021, 3:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Allocates execute permission to another process indicative of possible code injection (9 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b0	1
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1496 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1848 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b0	1
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 2816 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b0	1
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01b10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368	1
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 3064 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\system.ini

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (14 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1108 created a remote thread in non-child process 1284
Process injection	Process 1108 created a remote thread in non-child process 1496
Process injection	Process 1108 created a remote thread in non-child process 1848
Process injection	Process 1108 created a remote thread in non-child process 2816
Process injection	Process 1108 created a remote thread in non-child process 2120
Process injection	Process 1108 created a remote thread in non-child process 1068
Process injection	Process 1108 created a remote thread in non-child process 3064
CreateRemoteThread July 20, 2021, 3:41 p.m.	thread_identifier: 0 process_identifier: 1284 function_address: 0x01e70000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001b0	0	0
CreateRemoteThread July 20, 2021, 3:41 p.m.	thread_identifier: 0 process_identifier: 1496 function_address: 0x01cc0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000240	0	0
CreateRemoteThread July 20, 2021, 3:41 p.m.	thread_identifier: 0 process_identifier: 1848 function_address: 0x024d0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001b0	0	0
CreateRemoteThread July 20, 2021, 3:41 p.m.	thread_identifier: 0 process_identifier: 2816 function_address: 0x00140000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001b0	0	0
CreateRemoteThread July 20, 2021, 3:41 p.m.	thread_identifier: 0 process_identifier: 2120 function_address: 0x001a0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000240	0	0
CreateRemoteThread July 20, 2021, 3:41 p.m.	thread_identifier: 0 process_identifier: 1068 function_address: 0x01b10000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000368	0	0
CreateRemoteThread July 20, 2021, 3:41 p.m.	thread_identifier: 0 process_identifier: 3064 function_address: 0x00690000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000240	0	0

Manipulates memory of a non-child process indicative of process injection (17 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1108 manipulating memory of non-child process 1284
Process injection	Process 1108 manipulating memory of non-child process 1496
Process injection	Process 1108 manipulating memory of non-child process 1848
Process injection	Process 1108 manipulating memory of non-child process 2816
Process injection	Process 1108 manipulating memory of non-child process 2120
Process injection	Process 1108 manipulating memory of non-child process 1068
Process injection	Process 1108 manipulating memory of non-child process 3064
Process injection	Process 1108 manipulating memory of non-child process 1108
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b0	1	0	0
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1496 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0	0
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1848 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b0	1	0	0
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 2816 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b0	1	0	0
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0	0
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01b10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368	1	0	0
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 3064 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0	0
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0	0
NtAllocateVirtualMemory July 20, 2021, 3:41 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0	0

Modifies security center warnings (12 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Disables Windows Security features (10 events)

description	attempts to disable user access control	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
description	disables user access control notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify
description	attempts to disable windows firewall	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
description	attempts to disable firewall exceptions	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.Sality.PE
Lionic	Worm.Win32.WBNA.o!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Win32.Sality.3
FireEye	Generic.mg.44b42e92ffe33907
CAT-QuickHeal	W32.Sality.U
McAfee	W32/Sality.gen.z
Cylance	Unsafe
Zillya	Virus.Sality.Win32.25
Sangfor	Worm.Win32.WBNA.roc
K7AntiVirus	Virus ( f10001071 )
Alibaba	Virus:Win32/Sality.14ba787a
K7GW	Virus ( f10001071 )
Cybereason	malicious.2ffe33
Baidu	Win32.Virus.Sality.gen
Cyren	W32/Sality.gen2
Symantec	W32.Sality.AE
ESET-NOD32	Win32/Sality.NBA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Worm.Win32.WBNA.roc
BitDefender	Win32.Sality.3
NANO-Antivirus	Virus.Win32.Sality.beygb
Avast	Win32:SaliCode [Inf]
Tencent	Virus.Win32.TuTu.Gen.200004
Ad-Aware	Win32.Sality.3
TACHYON	Virus/W32.Sality.D
Sophos	Mal/Generic-R + Mal/Sality-D
Comodo	Virus.Win32.Sality.gen@1egj5j
DrWeb	Win32.Sector.30
VIPRE	Virus.Win32.Sality.at (v)
TrendMicro	PE_SALITY.RL
McAfee-GW-Edition	BehavesLike.Win32.Infected.hh
Emsisoft	Win32.Sality.3 (B)
Ikarus	Trojan-Downloader
Jiangmin	Win32/HLLP.Kuku.poly2
Avira	W32/Sality.AT
Antiy-AVL	Trojan/Generic.ASVirus.C4
Microsoft	Virus:Win32/Sality.AT
ViRobot	Win32.Sality.Gen.A
GData	Win32.Sality.3
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Kashu.E
Acronis	suspicious
BitDefenderTheta	AI:FileInfector.A5ECCBAB0E
MAX	malware (ai score=83)
VBA32	Virus.Win32.Sality.bakc
TrendMicro-HouseCall	PE_SALITY.RL
Rising	Virus.Sality!1.A5BD (CLASSIC)
Yandex	Trojan.GenAsa!IQNcZjUhnbU

update.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All