Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 27, 2021, 3:26 p.m.	Aug. 27, 2021, 3:49 p.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`814f22a67e6d2046f532f973f197c649`
SHA256	`c2e1450509092251b7376c9d4acd0636b41c19060591c0ef6c3bb58ab7e49ee0`
CRC32	`873A0759`
ssdeep	`49152:R6XZx5c96civqfPao3Hwa1VDhkYKt457bjG48GrbcE+SER:R6pxepiuR3Kt4Ra4N+1`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

NvidiaShare1.exe "C:\Users\test22\AppData\Local\Temp\NvidiaShare1.exe"
544
- NvidiaShare1.exe C:\Users\test22\AppData\Local\Temp\NvidiaShare1.exe
  1904

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
104.18.6.156	Active	Moloch
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch
179.43.141.103	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49169 -> 179.43.141.103:1234	906200098	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49170 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLS 1.2 192.168.56.102:49169 179.43.141.103:1234	CN=ServerZ	CN=ServerZ	38:5c:b6:85:5c:71:b3:ae:76:1e:8d:be:3d:ea:be:d4:03:ff:f0:23

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 27, 2021, 3:48 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 27, 2021, 3:26 p.m.			0	0
IsDebuggerPresent Aug. 27, 2021, 3:26 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 27, 2021, 3:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007174e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 27, 2021, 3:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00716fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 27, 2021, 3:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00716fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 27, 2021, 3:26 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 27, 2021, 3:27 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52e5695 0x52e560a 0x52e2daa 0x52e2973 0x52e12ca 0x5070b37 system+0x1d3f63 @ 0x70073f63 0x62269c 0x6219f0 mscorlib+0x30c9ff @ 0x724ec9ff mscorlib+0x302367 @ 0x724e2367 mscorlib+0x3022a6 @ 0x724e22a6 mscorlib+0x302261 @ 0x724e2261 mscorlib+0x30ca7c @ 0x724eca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x732407d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73217d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73217dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73217e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x731ac3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73240694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x732ba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 108130404 registers.edi: 1969676232 registers.eax: 9437184 registers.ebp: 108130608 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 27, 2021, 3:27 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e
0x52e5695
0x52e560a
0x52e2daa
0x52e2973
0x52e12ca
0x5070b37
system+0x1d3f63 @ 0x70073f63
0x62269c
0x6219f0
mscorlib+0x30c9ff @ 0x724ec9ff
mscorlib+0x302367 @ 0x724e2367
mscorlib+0x3022a6 @ 0x724e22a6
mscorlib+0x302261 @ 0x724e2261
mscorlib+0x30ca7c @ 0x724eca7c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95
DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x732407d8
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73217d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73217dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73217e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x731ac3bf
DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73240694
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x732ba0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x76a6b479
registers.esp: 108130404
registers.edi: 1969676232
registers.eax: 9437184
registers.ebp: 108130608
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://cdn.discordapp.com/attachments/875152353035157555/880421379307089940/Chrome.exe

Allocates read-write-execute memory (usually to unpack itself) (45 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70692000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:26 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05491000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0507f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05493000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00418000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 27, 2021, 3:48 p.m.	process_identifier: 1904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73652000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

NvidiaShare1.exe tried to sleep 254 seconds, actually delayed analysis time by 254 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\2pEdSsGMLGss7Gz1.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00209400', u'virtual_address': u'0x00002000', u'entropy': 7.998887034612064, u'name': u'.text', u'virtual_size': u'0x00209254'}

entropy

7.99888703461

description

A section with a high entropy has been found

entropy

0.821998817268

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 27, 2021, 3:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 27, 2021, 3:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 27, 2021, 3:48 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://curl.haxx.se/docs/http-cookies.html

Yara rule detected in process memory (22 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Communications smtp	rule	network_smtp_raw
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 4430329a5a19ad10ea69d6fb16abd537a7ea73f7

Communicates with host for which no DNS query was performed (3 events)

host	104.18.6.156
host	179.43.141.103
host	208.95.112.1

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 1904 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000348	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 27, 2021, 3:48 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NvidiaShare

reg_value

"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nvidia\NvidiaShare.exe"

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 27, 2021, 3:48 p.m.	thread_identifier: 0 callback_function: 0x0050f84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	2097465	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@.ÔÌ8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00400000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: base_address: 0x007a8000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1904 process_handle: 0x00000348	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@.ÔÌ8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00400000 process_identifier: 1904 process_handle: 0x00000348	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 27, 2021, 3:48 p.m.	thread_identifier: 0 callback_function: 0x004ca8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	590183	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 544 called NtSetContextThread to modify thread in remote process 1904
NtSetContextThread Aug. 27, 2021, 3:27 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000016c process_identifier: 1904	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 544 resumed a thread in remote process 1904
NtResumeThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 1904	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (D)
BitDefenderTheta	Gen:NN.ZemsilF.34110.Eo0@aqT7Nqb
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.FJOI
APEX	Malicious
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Sophos	ML/PE-A
Ikarus	Trojan.Inject
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!814F22A67E6D
Malwarebytes	MachineLearning/Anomalous.100%
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ACGG!tr
Cybereason	malicious.b3349e

Executed a process and injected code into it, probably while unpacking (43 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 27, 2021, 3:26 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 544	1	0
NtResumeThread Aug. 27, 2021, 3:26 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 544	1	0
NtResumeThread Aug. 27, 2021, 3:26 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 544	1	0
NtResumeThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 544	1	0
NtResumeThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 544	1	0
NtGetContextThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000320	1	0
NtGetContextThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000320	1	0
NtResumeThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 544	1	0
NtGetContextThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000320	1	0
NtGetContextThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000320	1	0
NtResumeThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 544	1	0
NtResumeThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 544	1	0
CreateProcessInternalW Aug. 27, 2021, 3:27 p.m.	thread_identifier: 2212 thread_handle: 0x0000016c process_identifier: 1904 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\NvidiaShare1.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000348	1	1
NtGetContextThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x0000016c	1	0
NtAllocateVirtualMemory Aug. 27, 2021, 3:27 p.m.	process_identifier: 1904 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000348	1	0
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@.ÔÌ8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00400000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: base_address: 0x00401000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: base_address: 0x006e0000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: base_address: 0x0078c000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: base_address: 0x007a6000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: base_address: 0x007a8000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: base_address: 0x007a9000 process_identifier: 1904 process_handle: 0x00000348	1	1
WriteProcessMemory Aug. 27, 2021, 3:27 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1904 process_handle: 0x00000348	1	1
NtSetContextThread Aug. 27, 2021, 3:27 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000016c process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:27 p.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x00000324 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x0000071c suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x0000071c suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x0000071c suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:48 p.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread Aug. 27, 2021, 3:49 p.m.	thread_handle: 0x0000071c suspend_count: 1 process_identifier: 1904	1	0

NvidiaShare1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All