Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 4, 2021, 5:16 p.m.	Aug. 4, 2021, 5:18 p.m.

Size	600.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d50c5edad1478a183e7216b0a94bd215`
SHA256	`c0eee6869cb1d1b6c8309151b45795b8866f7171b365dc29f7610cf385264239`
CRC32	`27EB23DA`
ssdeep	`12288:Ufl5ufVwysgqfvseUJejCa6mNNu3dJodhtvvAvUg:Ufl5ufVwysvdsmq5mTHEUg`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

nva.exe "C:\Users\test22\AppData\Local\Temp\nva.exe"
552
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\Wex4QFpowplI.bat" "
2824
- chcp.com chcp 65001
  2924
- PING.EXE ping -n 10 localhost
  1400
- nva.exe "C:\Users\test22\AppData\Local\Temp\nva.exe"
  1628
  - nva.exe C:\Users\test22\AppData\Local\Temp\nva.exe
    1384

Name	Response	Post-Analysis Lookup
societyf500.ddns.net	A 37.238.146.18	37.238.146.18

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:57684 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 4, 2021, 5:16 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:16 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:17 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:17 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:17 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:17 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 4, 2021, 5:17 p.m.	buffer: DONT CLOSE THIS WINDOW! console_handle: 0x00000007	1	1
WriteConsoleW Aug. 4, 2021, 5:17 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 4, 2021, 5:17 p.m.	buffer: Active code page: 65001 console_handle: 0x00000013	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2021, 5:16 p.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Aug. 4, 2021, 5:16 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76e5b37e 0x4ac2dd5 0x4ac2d4a 0x4ac0bf9 0x4ac02a3 0x65dffe DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73df2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73e0264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73e71838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73e71737 mscorlib+0x2d36ad @ 0x729236ad mscorlib+0x308f2d @ 0x72958f2d mscorlib+0x3135ed @ 0x729635ed 0x650904 0x6507e2 mscorlib+0x302367 @ 0x72952367 mscorlib+0x3022a6 @ 0x729522a6 mscorlib+0x302261 @ 0x72952261 mscorlib+0x30ca7c @ 0x7295ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73df2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73e0264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73e02e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73e907d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73e67d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73e67dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73e67e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73dfc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73e90694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73f0a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76e5b479 registers.esp: 80276024 registers.edi: 1968168904 registers.eax: 17104896 registers.ebp: 80276228 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 4, 2021, 5:16 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76e5b37e 0x4ac2dd5 0x4ac2d4a 0x4ac0bf9 0x4ac02a3 0x65dffe DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73df2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73e0264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73e71838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73e71737 mscorlib+0x2d36ad @ 0x729236ad mscorlib+0x308f2d @ 0x72958f2d mscorlib+0x3135ed @ 0x729635ed 0x650904 0x6507e2 mscorlib+0x302367 @ 0x72952367 mscorlib+0x3022a6 @ 0x729522a6 mscorlib+0x302261 @ 0x72952261 mscorlib+0x30ca7c @ 0x7295ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73df2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73e0264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73e02e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73e907d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73e67d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73e67dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73e67e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73dfc3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73e90694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73f0a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76e5b479 registers.esp: 80276024 registers.edi: 1968168904 registers.eax: 19464192 registers.ebp: 80276228 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 4, 2021, 5:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76e5b37e 0x1022dd5 0x1022d4a 0x1020bf9 0x10202a3 0x74dffe DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73de2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73df264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73e61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73e61737 mscorlib+0x2d36ad @ 0x729236ad mscorlib+0x308f2d @ 0x72958f2d mscorlib+0x3135ed @ 0x729635ed 0x740904 0x7407e2 mscorlib+0x302367 @ 0x72952367 mscorlib+0x3022a6 @ 0x729522a6 mscorlib+0x302261 @ 0x72952261 mscorlib+0x30ca7c @ 0x7295ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73de2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73df264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73df2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73e807d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73e57d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73e57dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73e57e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73dec3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73e80694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73efa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76e5b479 registers.esp: 82373800 registers.edi: 1968168904 registers.eax: 17104896 registers.ebp: 82374004 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 4, 2021, 5:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76e5b37e 0x1022dd5 0x1022d4a 0x1020bf9 0x10202a3 0x74dffe DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73de2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73df264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73e61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73e61737 mscorlib+0x2d36ad @ 0x729236ad mscorlib+0x308f2d @ 0x72958f2d mscorlib+0x3135ed @ 0x729635ed 0x740904 0x7407e2 mscorlib+0x302367 @ 0x72952367 mscorlib+0x3022a6 @ 0x729522a6 mscorlib+0x302261 @ 0x72952261 mscorlib+0x30ca7c @ 0x7295ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73de2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73df264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73df2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73e807d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73e57d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73e57dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73e57e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73dec3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73e80694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73efa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76e333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77969ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77969ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76e5b479 registers.esp: 82373800 registers.edi: 1968168904 registers.eax: 19464192 registers.ebp: 82374004 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

societyf500.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 103 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0473f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0666c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0666d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0666e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0666f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04731000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1628 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1628 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00074600', u'virtual_address': u'0x00002000', u'entropy': 7.996649208699286, u'name': u'.text', u'virtual_size': u'0x0007449c'}

entropy

7.9966492087

description

A section with a high entropy has been found

entropy

0.775833333333

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 4, 2021, 5:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 4, 2021, 5:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 56 events)

description	Communications use DNS	rule	Network_DNS
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications use DNS	rule	Network_DNS
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 10 localhost
cmdline	chcp 65001

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 1464 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0	0
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1384 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ac	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NVA				reg_value	"C:\Users\test22\AppData\Local\NVA.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NVA				reg_value	"C:\Users\test22\AppData\Local\NVA.exe"

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 552 manipulating memory of non-child process 1464
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 1464 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0	0

Potential code injection by writing to the memory of another process (9 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 552 injected into non-child 1464
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1464 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: 8Ph ¼×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyNameDFileDescriptionQuasar Client,FileVersion1.4.06InternalNameClient.exeTLegalCopyrightCopyright © MaxXor 2020LegalTrademarks>OriginalFilenameClient.exe.ProductNameQuasar0ProductVersion1.4.08Assembly Version1.4.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00480000 process_identifier: 1464 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: à7 base_address: 0x00482000 process_identifier: 1464 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1464 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1384 process_handle: 0x000002ac	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: 8Ph ¼×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyNameDFileDescriptionQuasar Client,FileVersion1.4.06InternalNameClient.exeTLegalCopyrightCopyright © MaxXor 2020LegalTrademarks>OriginalFilenameClient.exe.ProductNameQuasar0ProductVersion1.4.08Assembly Version1.4.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00480000 process_identifier: 1384 process_handle: 0x000002ac	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: à7 base_address: 0x00482000 process_identifier: 1384 process_handle: 0x000002ac	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1384 process_handle: 0x000002ac	1	1	0

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 552 injected into non-child 1464
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1464 process_handle: 0x000002b4	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1384 process_handle: 0x000002ac	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 552 called NtSetContextThread to modify thread in remote process 1464
Process injection	Process 1628 called NtSetContextThread to modify thread in remote process 1384
NtSetContextThread Aug. 4, 2021, 5:16 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4712318 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 1464	1	0	0
NtSetContextThread Aug. 4, 2021, 5:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4712318 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a4 process_identifier: 1384	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 552 resumed a thread in remote process 1464
Process injection	Process 2824 resumed a thread in remote process 1628
Process injection	Process 1628 resumed a thread in remote process 1384
NtResumeThread Aug. 4, 2021, 5:16 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 1464	1	0	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1628	1	0	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1384	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.d50c5edad1478a18
McAfee	RDN/Generic.dx
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/Kryptik.9a496de9
Cybereason	malicious.fc716c
BitDefenderTheta	Gen:NN.ZemsilF.34058.Lm0@amgNLuh
ESET-NOD32	a variant of MSIL/Kryptik.ACFZ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:CrypterX-gen [Trj]
SentinelOne	Static AI - Suspicious PE
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/AgentTesla!ml
GData	MSIL.Backdoor.Quasar.JCRWMN
Cynet	Malicious (score: 100)
Malwarebytes	MachineLearning/Anomalous.97%
TrendMicro-HouseCall	TROJ_GEN.R002H0DH321
Fortinet	MSIL/Kryptik.ACFK!tr
AVG	Win32:CrypterX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win32/TrojanDownloader.Generic.HgIASZsA

Executed a process and injected code into it, probably while unpacking (35 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 4, 2021, 5:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 552	1	0
NtResumeThread Aug. 4, 2021, 5:16 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 552	1	0
NtResumeThread Aug. 4, 2021, 5:16 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 552	1	0
NtResumeThread Aug. 4, 2021, 5:16 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 552	1	0
CreateProcessInternalW Aug. 4, 2021, 5:16 p.m.	thread_identifier: 1532 thread_handle: 0x000002ac process_identifier: 1464 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\nva.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b4	1	1
NtGetContextThread Aug. 4, 2021, 5:16 p.m.	thread_handle: 0x000002ac	1	0
NtAllocateVirtualMemory Aug. 4, 2021, 5:16 p.m.	process_identifier: 1464 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1464 process_handle: 0x000002b4	1	1
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: base_address: 0x00402000 process_identifier: 1464 process_handle: 0x000002b4	1	1
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: 8Ph ¼×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyNameDFileDescriptionQuasar Client,FileVersion1.4.06InternalNameClient.exeTLegalCopyrightCopyright © MaxXor 2020LegalTrademarks>OriginalFilenameClient.exe.ProductNameQuasar0ProductVersion1.4.08Assembly Version1.4.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00480000 process_identifier: 1464 process_handle: 0x000002b4	1	1
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: à7 base_address: 0x00482000 process_identifier: 1464 process_handle: 0x000002b4	1	1
WriteProcessMemory Aug. 4, 2021, 5:16 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1464 process_handle: 0x000002b4	1	1
NtSetContextThread Aug. 4, 2021, 5:16 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4712318 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 1464	1	0
NtResumeThread Aug. 4, 2021, 5:16 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 1464	1	0
CreateProcessInternalW Aug. 4, 2021, 5:17 p.m.	thread_identifier: 2972 thread_handle: 0x00000088 process_identifier: 2924 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\chcp.com track: 1 command_line: chcp 65001 filepath_r: C:\Windows\system32\chcp.com stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Aug. 4, 2021, 5:17 p.m.	thread_identifier: 320 thread_handle: 0x00000088 process_identifier: 1400 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 10 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Aug. 4, 2021, 5:17 p.m.	thread_identifier: 788 thread_handle: 0x00000084 process_identifier: 1628 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\nva.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\nva.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\nva.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1628	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1628	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1628	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 1628	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 1628	1	0
CreateProcessInternalW Aug. 4, 2021, 5:17 p.m.	thread_identifier: 184 thread_handle: 0x000002a4 process_identifier: 1384 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\nva.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtGetContextThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x000002a4	1	0
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1384 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ac	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1384 process_handle: 0x000002ac	1	1
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: base_address: 0x00402000 process_identifier: 1384 process_handle: 0x000002ac	1	1
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: 8Ph ¼×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyNameDFileDescriptionQuasar Client,FileVersion1.4.06InternalNameClient.exeTLegalCopyrightCopyright © MaxXor 2020LegalTrademarks>OriginalFilenameClient.exe.ProductNameQuasar0ProductVersion1.4.08Assembly Version1.4.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00480000 process_identifier: 1384 process_handle: 0x000002ac	1	1
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: à7 base_address: 0x00482000 process_identifier: 1384 process_handle: 0x000002ac	1	1
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1384 process_handle: 0x000002ac	1	1
NtSetContextThread Aug. 4, 2021, 5:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4712318 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a4 process_identifier: 1384	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1384	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1384	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1384	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 1384	1	0

nva.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All