Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 27, 2021, 5:53 p.m.	July 27, 2021, 5:55 p.m.

Size	626.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2d5e1b62b58404ac5040f7454b9a73fe`
SHA256	`871e94eda4712d5e5549cdb71e84f794baa7fe2b52ba191ecbbcd576549fd94d`
CRC32	`866A18AA`
ssdeep	`12288:9V1gsD1nB3pSp0Yxd64DOKLLX6liI+aKCDd8bognRUSaHNKnj3O:9VKsV/Sp0q62BL+caTDcot1kj+`
Yara	IsPE32 - (no description) Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

nputty.exe "C:\Users\test22\AppData\Local\Temp\nputty.exe"
1784
- nputty.exe C:\Users\test22\AppData\Local\Temp\nputty.exe
  2372
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmpB011.tmp"
    2472

Name	Response	Post-Analysis Lookup
asweee.jumpingcrab.com	A 46.183.223.113	46.183.223.113
tryweaswweee.ydns.eu	A 37.0.11.232	37.0.11.232

IP Address	Status	Action
164.124.101.2	Active	Moloch
37.0.11.232	Active	Moloch
46.183.223.113	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 27, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 27, 2021, 5:53 p.m.			0	0
IsDebuggerPresent July 27, 2021, 5:53 p.m.			0	0
IsDebuggerPresent July 27, 2021, 5:53 p.m.			0	0
IsDebuggerPresent July 27, 2021, 5:53 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 27, 2021, 5:53 p.m.	buffer: SUCCESS: The scheduled task "SMTP Host" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 27, 2021, 5:53 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 27, 2021, 5:53 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7509b37e 0x230ad8d 0x230ad02 0x2308524 0x2307933 0x23009a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73af1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73af1737 mscorlib+0x2d36ad @ 0x721d36ad mscorlib+0x308f2d @ 0x72208f2d mscorlib+0x3135ed @ 0x722135ed 0x72229d 0x722120 system+0x1f9799 @ 0x70b59799 system+0x1f92c8 @ 0x70b592c8 system+0x1eca74 @ 0x70b4ca74 system+0x1ec868 @ 0x70b4c868 system+0x1f82b8 @ 0x70b582b8 system+0x1ee54d @ 0x70b4e54d system+0x1f70ea @ 0x70b570ea system+0x1e56c0 @ 0x70b456c0 system+0x1f8215 @ 0x70b58215 system+0x1f6f75 @ 0x70b56f75 system+0x1ee251 @ 0x70b4e251 system+0x1ee229 @ 0x70b4e229 system+0x1ee170 @ 0x70b4e170 0x5da08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a system+0x1ebc85 @ 0x70b4bc85 system+0x1f683b @ 0x70b5683b system+0x1e592f @ 0x70b4592f 0x721c1f system+0x1f9799 @ 0x70b59799 system+0x1f92c8 @ 0x70b592c8 system+0x1eca74 @ 0x70b4ca74 system+0x1ec868 @ 0x70b4c868 system+0x1f82b8 @ 0x70b582b8 system+0x1ee54d @ 0x70b4e54d system+0x1f70ea @ 0x70b570ea system+0x1e56c0 @ 0x70b456c0 system+0x1f8215 @ 0x70b58215 system+0x1f6f75 @ 0x70b56f75 system+0x1ee251 @ 0x70b4e251 system+0x1ee229 @ 0x70b4e229 system+0x1ee170 @ 0x70b4e170 0x5da08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a system+0x1ebc85 @ 0x70b4bc85 system+0x1f683b @ 0x70b5683b system+0x1e592f @ 0x70b4592f 0x7219b2 system+0x19c522 @ 0x70afc522 system+0x19e920 @ 0x70afe920 system+0x19e803 @ 0x70afe803 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7509b479 registers.esp: 1760604 registers.edi: 1955258312 registers.eax: 3211264 registers.ebp: 1760808 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0
__exception__ July 27, 2021, 5:53 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7509b37e 0x230ad8d 0x230ad02 0x2308524 0x2307933 0x23009a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73af1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73af1737 mscorlib+0x2d36ad @ 0x721d36ad mscorlib+0x308f2d @ 0x72208f2d mscorlib+0x3135ed @ 0x722135ed 0x72229d 0x722120 system+0x1f9799 @ 0x70b59799 system+0x1f92c8 @ 0x70b592c8 system+0x1eca74 @ 0x70b4ca74 system+0x1ec868 @ 0x70b4c868 system+0x1f82b8 @ 0x70b582b8 system+0x1ee54d @ 0x70b4e54d system+0x1f70ea @ 0x70b570ea system+0x1e56c0 @ 0x70b456c0 system+0x1f8215 @ 0x70b58215 system+0x1f6f75 @ 0x70b56f75 system+0x1ee251 @ 0x70b4e251 system+0x1ee229 @ 0x70b4e229 system+0x1ee170 @ 0x70b4e170 0x5da08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a system+0x1ebc85 @ 0x70b4bc85 system+0x1f683b @ 0x70b5683b system+0x1e592f @ 0x70b4592f 0x721c1f system+0x1f9799 @ 0x70b59799 system+0x1f92c8 @ 0x70b592c8 system+0x1eca74 @ 0x70b4ca74 system+0x1ec868 @ 0x70b4c868 system+0x1f82b8 @ 0x70b582b8 system+0x1ee54d @ 0x70b4e54d system+0x1f70ea @ 0x70b570ea system+0x1e56c0 @ 0x70b456c0 system+0x1f8215 @ 0x70b58215 system+0x1f6f75 @ 0x70b56f75 system+0x1ee251 @ 0x70b4e251 system+0x1ee229 @ 0x70b4e229 system+0x1ee170 @ 0x70b4e170 0x5da08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a system+0x1ebc85 @ 0x70b4bc85 system+0x1f683b @ 0x70b5683b system+0x1e592f @ 0x70b4592f 0x7219b2 system+0x19c522 @ 0x70afc522 system+0x19e920 @ 0x70afe920 system+0x19e803 @ 0x70afe803 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7509b479 registers.esp: 1760604 registers.edi: 1955258312 registers.eax: 3211264 registers.ebp: 1760808 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 27, 2021, 5:53 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7509b37e
0x230ad8d
0x230ad02
0x2308524
0x2307933
0x23009a0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73af1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73af1737
mscorlib+0x2d36ad @ 0x721d36ad
mscorlib+0x308f2d @ 0x72208f2d
mscorlib+0x3135ed @ 0x722135ed
0x72229d
0x722120
system+0x1f9799 @ 0x70b59799
system+0x1f92c8 @ 0x70b592c8
system+0x1eca74 @ 0x70b4ca74
system+0x1ec868 @ 0x70b4c868
system+0x1f82b8 @ 0x70b582b8
system+0x1ee54d @ 0x70b4e54d
system+0x1f70ea @ 0x70b570ea
system+0x1e56c0 @ 0x70b456c0
system+0x1f8215 @ 0x70b58215
system+0x1f6f75 @ 0x70b56f75
system+0x1ee251 @ 0x70b4e251
system+0x1ee229 @ 0x70b4e229
system+0x1ee170 @ 0x70b4e170
0x5da08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a
system+0x1ebc85 @ 0x70b4bc85
system+0x1f683b @ 0x70b5683b
system+0x1e592f @ 0x70b4592f
0x721c1f
system+0x1f9799 @ 0x70b59799
system+0x1f92c8 @ 0x70b592c8
system+0x1eca74 @ 0x70b4ca74
system+0x1ec868 @ 0x70b4c868
system+0x1f82b8 @ 0x70b582b8
system+0x1ee54d @ 0x70b4e54d
system+0x1f70ea @ 0x70b570ea
system+0x1e56c0 @ 0x70b456c0
system+0x1f8215 @ 0x70b58215
system+0x1f6f75 @ 0x70b56f75
system+0x1ee251 @ 0x70b4e251
system+0x1ee229 @ 0x70b4e229
system+0x1ee170 @ 0x70b4e170
0x5da08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a
system+0x1ebc85 @ 0x70b4bc85
system+0x1f683b @ 0x70b5683b
system+0x1e592f @ 0x70b4592f
0x7219b2
system+0x19c522 @ 0x70afc522
system+0x19e920 @ 0x70afe920
system+0x19e803 @ 0x70afe803

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7509b479
registers.esp: 1760604
registers.edi: 1955258312
registers.eax: 3211264
registers.ebp: 1760808
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

July 27, 2021, 5:53 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7509b37e
0x230ad8d
0x230ad02
0x2308524
0x2307933
0x23009a0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73af1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73af1737
mscorlib+0x2d36ad @ 0x721d36ad
mscorlib+0x308f2d @ 0x72208f2d
mscorlib+0x3135ed @ 0x722135ed
0x72229d
0x722120
system+0x1f9799 @ 0x70b59799
system+0x1f92c8 @ 0x70b592c8
system+0x1eca74 @ 0x70b4ca74
system+0x1ec868 @ 0x70b4c868
system+0x1f82b8 @ 0x70b582b8
system+0x1ee54d @ 0x70b4e54d
system+0x1f70ea @ 0x70b570ea
system+0x1e56c0 @ 0x70b456c0
system+0x1f8215 @ 0x70b58215
system+0x1f6f75 @ 0x70b56f75
system+0x1ee251 @ 0x70b4e251
system+0x1ee229 @ 0x70b4e229
system+0x1ee170 @ 0x70b4e170
0x5da08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a
system+0x1ebc85 @ 0x70b4bc85
system+0x1f683b @ 0x70b5683b
system+0x1e592f @ 0x70b4592f
0x721c1f
system+0x1f9799 @ 0x70b59799
system+0x1f92c8 @ 0x70b592c8
system+0x1eca74 @ 0x70b4ca74
system+0x1ec868 @ 0x70b4c868
system+0x1f82b8 @ 0x70b582b8
system+0x1ee54d @ 0x70b4e54d
system+0x1f70ea @ 0x70b570ea
system+0x1e56c0 @ 0x70b456c0
system+0x1f8215 @ 0x70b58215
system+0x1f6f75 @ 0x70b56f75
system+0x1ee251 @ 0x70b4e251
system+0x1ee229 @ 0x70b4e229
system+0x1ee170 @ 0x70b4e170
0x5da08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a
system+0x1ebc85 @ 0x70b4bc85
system+0x1f683b @ 0x70b5683b
system+0x1e592f @ 0x70b4592f
0x7219b2
system+0x19c522 @ 0x70afc522
system+0x19e920 @ 0x70afe920
system+0x19e803 @ 0x70afe803

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 92 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02132000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0675f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02301000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02302000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02304000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02305000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02306000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02307000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02308000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02309000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0230a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 1784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0230b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 2372 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (1 event)

cmdline

"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmpB011.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 27, 2021, 5:53 p.m.	thread_identifier: 2476 thread_handle: 0x0000026c process_identifier: 2472 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmpB011.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000270	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 27, 2021, 5:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 27, 2021, 5:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 27, 2021, 5:53 p.m.	status_code: 0xffffffff process_identifier: 2336 process_handle: 0x00000274		0	0
NtTerminateProcess July 27, 2021, 5:53 p.m.	status_code: 0xffffffff process_identifier: 2336 process_handle: 0x00000274	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmpB011.tmp"

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 2336 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c		3221225496	0
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 2372 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 27, 2021, 5:53 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

nputty.exe tried to sleep 4198643509 seconds, actually delayed analysis time by 4198643509 seconds

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1784 manipulating memory of non-child process 2336
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 2336 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c		3221225496	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2372 process_handle: 0x00000270	1	1
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2372 process_handle: 0x00000270	1	1
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2372 process_handle: 0x00000270	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2372 process_handle: 0x00000270	1	1	0

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
ESET-NOD32	a variant of MSIL/GenKryptik.FHZP
APEX	Malicious
Sophos	Generic ML PUA (PUA)
FireEye	Generic.mg.2d5e1b62b58404ac
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/AgentTesla!ml
BitDefenderTheta	Gen:NN.ZemsilF.34050.Nm0@a0nCjIl
Ikarus	Trojan-Spy.FormBook
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_100% (D)
Qihoo-360	HEUR/QVM03.0.DC56.Malware.Gen

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1784 called NtSetContextThread to modify thread in remote process 2372
NtSetContextThread July 27, 2021, 5:53 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2372	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\nputty.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1784 resumed a thread in remote process 2372
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2372	1	0	0

Executed a process and injected code into it, probably while unpacking (32 events)

Time & API	Arguments	Status	Return
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1784	1	0
CreateProcessInternalW July 27, 2021, 5:53 p.m.	thread_identifier: 2340 thread_handle: 0x00000268 process_identifier: 2336 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\nputty.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000026c	1	1
NtGetContextThread July 27, 2021, 5:53 p.m.	thread_handle: 0x00000268	1	0
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 2336 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c		3221225496
CreateProcessInternalW July 27, 2021, 5:53 p.m.	thread_identifier: 2376 thread_handle: 0x00000274 process_identifier: 2372 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\nputty.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000270	1	1
NtGetContextThread July 27, 2021, 5:53 p.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory July 27, 2021, 5:53 p.m.	process_identifier: 2372 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2372 process_handle: 0x00000270	1	1
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: base_address: 0x00402000 process_identifier: 2372 process_handle: 0x00000270	1	1
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2372 process_handle: 0x00000270	1	1
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: base_address: 0x00422000 process_identifier: 2372 process_handle: 0x00000270	1	1
WriteProcessMemory July 27, 2021, 5:53 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2372 process_handle: 0x00000270	1	1
NtSetContextThread July 27, 2021, 5:53 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2372	1	0
CreateProcessInternalW July 27, 2021, 5:53 p.m.	thread_identifier: 2476 thread_handle: 0x0000026c process_identifier: 2472 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmpB011.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000270	1	1
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:53 p.m.	thread_handle: 0x000003d8 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:54 p.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:54 p.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:54 p.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:54 p.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:54 p.m.	thread_handle: 0x00000450 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread July 27, 2021, 5:55 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2372	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	37.0.11.232:8234
dead_host	46.183.223.113:8234

nputty.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All