Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 2, 2021, 5:51 p.m.	Aug. 2, 2021, 6 p.m.

Size	774.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4c10c29f43c09ee1abacf83fa03bbbc7`
SHA256	`4eddc651b926884ace9794bd4a5dae0c872a2cd2d7ff56bdc4032b9411ec08d2`
CRC32	`E2CCD25B`
ssdeep	`24576:UGq8HzGC9mIzUewRTCFp2iDM7PdKxXv33MhvSGW/OXf57N:L5rM7PQlP3M9SGW/Ov9`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals

allparts.exe "C:\Users\test22\AppData\Local\Temp\allparts.exe"
1600
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAaeNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A83.tmp"
  2848
- allparts.exe "C:\Users\test22\AppData\Local\Temp\allparts.exe"
  2964
  - dw20.exe dw20.exe -x -s 408
    3052

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 2, 2021, 5:51 p.m.			0	0
IsDebuggerPresent Aug. 2, 2021, 5:53 p.m.			0	0
IsDebuggerPresent Aug. 2, 2021, 5:53 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 2, 2021, 5:53 p.m.	buffer: SUCCESS: The scheduled task "Updates\uAaeNW" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 2, 2021, 5:51 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00573000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00574000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00813000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00814000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00815000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:51 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00578000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00579000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:52 p.m.	process_identifier: 1600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAaeNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A83.tmp"
cmdline	schtasks.exe /Create /TN "Updates\uAaeNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A83.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 2, 2021, 5:53 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\uAaeNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A83.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000c0e00', u'virtual_address': u'0x00002000', u'entropy': 7.556102588523594, u'name': u'.text', u'virtual_size': u'0x000c0c9c'}

entropy

7.55610258852

description

A section with a high entropy has been found

entropy

0.997414350356

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 2, 2021, 5:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 2, 2021, 5:53 p.m.	status_code: 0xffffffff process_identifier: 2928 process_handle: 0x000003dc		0	0
NtTerminateProcess Aug. 2, 2021, 5:53 p.m.	status_code: 0xffffffff process_identifier: 2928 process_handle: 0x000003dc	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAaeNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A83.tmp"
cmdline	schtasks.exe /Create /TN "Updates\uAaeNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A83.tmp"

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 2, 2021, 5:53 p.m.	process_identifier: 2928 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000344		3221225496	0
NtAllocateVirtualMemory Aug. 2, 2021, 5:53 p.m.	process_identifier: 2964 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d8	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1600 manipulating memory of non-child process 2928
NtAllocateVirtualMemory Aug. 2, 2021, 5:53 p.m.	process_identifier: 2928 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000344		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÌaàXþu @ À@°uK H.textV X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 2964 process_handle: 0x000003d8	1	1
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: 8Ph 0ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamemKFbjsWCYvupjvYxJpABmxXL.exe(LegalCopyright dOriginalFilenamemKFbjsWCYvupjvYxJpABmxXL.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2964 process_handle: 0x000003d8	1	1
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: p6 base_address: 0x0043a000 process_identifier: 2964 process_handle: 0x000003d8	1	1
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2964 process_handle: 0x000003d8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÌaàXþu @ À@°uK H.textV X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 2964 process_handle: 0x000003d8	1	1	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.4c10c29f43c09ee1
Cylance	Unsafe
Cyren	W32/MSIL_Kryptik.DMC.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ACEV
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Tencent	Win32.Trojan.Inject.Auto
McAfee-GW-Edition	BehavesLike.Win32.Fareit.bc
Sophos	ML/PE-A
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!4C10C29F43C0
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Agent.GIQ!tr
CrowdStrike	win/malicious_confidence_80% (D)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1600 called NtSetContextThread to modify thread in remote process 2964
NtSetContextThread Aug. 2, 2021, 5:53 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421118 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003dc process_identifier: 2964	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1600 resumed a thread in remote process 2964
NtResumeThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000003dc suspend_count: 1 process_identifier: 2964	1	0	0

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 2, 2021, 5:51 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1600	1	0
NtResumeThread Aug. 2, 2021, 5:51 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1600	1	0
NtResumeThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 1600	1	0
CreateProcessInternalW Aug. 2, 2021, 5:53 p.m.	thread_identifier: 2852 thread_handle: 0x000003bc process_identifier: 2848 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAaeNW" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A83.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW Aug. 2, 2021, 5:53 p.m.	thread_identifier: 2932 thread_handle: 0x000003d4 process_identifier: 2928 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\allparts.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\allparts.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000344	1	1
NtGetContextThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000003d4	1	0
NtAllocateVirtualMemory Aug. 2, 2021, 5:53 p.m.	process_identifier: 2928 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000344		3221225496
CreateProcessInternalW Aug. 2, 2021, 5:53 p.m.	thread_identifier: 2968 thread_handle: 0x000003dc process_identifier: 2964 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\allparts.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\allparts.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003d8	1	1
NtGetContextThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000003dc	1	0
NtAllocateVirtualMemory Aug. 2, 2021, 5:53 p.m.	process_identifier: 2964 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d8	1	0
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÌaàXþu @ À@°uK H.textV X `.rsrc Z@@.reloc `@B base_address: 0x00400000 process_identifier: 2964 process_handle: 0x000003d8	1	1
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: base_address: 0x00402000 process_identifier: 2964 process_handle: 0x000003d8	1	1
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: 8Ph 0ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamemKFbjsWCYvupjvYxJpABmxXL.exe(LegalCopyright dOriginalFilenamemKFbjsWCYvupjvYxJpABmxXL.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2964 process_handle: 0x000003d8	1	1
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: p6 base_address: 0x0043a000 process_identifier: 2964 process_handle: 0x000003d8	1	1
WriteProcessMemory Aug. 2, 2021, 5:53 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2964 process_handle: 0x000003d8	1	1
NtSetContextThread Aug. 2, 2021, 5:53 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421118 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003dc process_identifier: 2964	1	0
NtResumeThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000003dc suspend_count: 1 process_identifier: 2964	1	0
NtResumeThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 1600	1	0
NtGetContextThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000003f0	1	0
NtGetContextThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000003f0	1	0
NtResumeThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 1600	1	0
NtResumeThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2964	1	0
NtResumeThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2964	1	0
CreateProcessInternalW Aug. 2, 2021, 5:53 p.m.	thread_identifier: 3056 thread_handle: 0x000001b0 process_identifier: 3052 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe track: 1 command_line: dw20.exe -x -s 408 filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000001ac	1	1
NtResumeThread Aug. 2, 2021, 5:53 p.m.	thread_handle: 0x000000c0 suspend_count: 1 process_identifier: 3052	1	0

allparts.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All