Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 5, 2021, 9:53 a.m.	Oct. 5, 2021, 10:06 a.m.

Size	1.3MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4848485b65241043189c99b7790836ad`
SHA256	`1c72a295a2d1f21831a17c6919abbde4117ebfafc0f9279ab468e00334759112`
CRC32	`2525933E`
ssdeep	`24576:/2byN9UB69h6n83Qv7JlGLIqIcI8fpqjb+DVWIEb7f8NAAvtCkuYJL:/khBwE83iJlEfRdhBhWBGAwuYF`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description)

princehfzx.exe "C:\Users\test22\AppData\Local\Temp\princehfzx.exe"
2232
- RegAsm.exe C:\Users\test22\AppData\Local\Temp\RegAsm.exe gedhhds
  1972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 5, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 5, 2021, 9:53 a.m.			0	0
IsDebuggerPresent Oct. 5, 2021, 9:53 a.m.			0	0
IsDebuggerPresent Oct. 5, 2021, 10:04 a.m.			0	0
IsDebuggerPresent Oct. 5, 2021, 10:04 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 5, 2021, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a5010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 5, 2021, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a5010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 5, 2021, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a5090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 5, 2021, 9:53 a.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Oct. 5, 2021, 9:53 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x6caa1d 0x6c9d3b 0x6c84e8 0x6c5d9b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d3711 @ 0x724b3711 mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3133fd @ 0x724f33fd 0x6c01c2 0x6c0076 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 4254396 registers.edi: 1969676232 registers.eax: 9699328 registers.ebp: 4254600 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Oct. 5, 2021, 9:53 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x6caa1d 0x6c9d3b 0x6c84e8 0x6c5d9b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d3711 @ 0x724b3711 mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3133fd @ 0x724f33fd 0x6c01c2 0x6c0076 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 4254396 registers.edi: 1969676232 registers.eax: 9699328 registers.ebp: 4254600 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Oct. 5, 2021, 10:05 a.m.	stacktrace: 0x8f1708 0x8f0f33 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 1b d8 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8f1b7b registers.esp: 1371440 registers.edi: 1371464 registers.eax: 0 registers.ebp: 1371476 registers.edx: 195 registers.ebx: 1371732 registers.esi: 44215548 registers.ecx: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 5, 2021, 9:53 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e
0x6caa1d
0x6c9d3b
0x6c84e8
0x6c5d9b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737
mscorlib+0x2d3711 @ 0x724b3711
mscorlib+0x308f2d @ 0x724e8f2d
mscorlib+0x3133fd @ 0x724f33fd
0x6c01c2
0x6c0076
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x76a6b479
registers.esp: 4254396
registers.edi: 1969676232
registers.eax: 9699328
registers.ebp: 4254600
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Oct. 5, 2021, 9:53 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e
0x6caa1d
0x6c9d3b
0x6c84e8
0x6c5d9b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737
mscorlib+0x2d3711 @ 0x724b3711
mscorlib+0x308f2d @ 0x724e8f2d
mscorlib+0x3133fd @ 0x724f33fd
0x6c01c2
0x6c0076
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

__exception__

Oct. 5, 2021, 10:05 a.m.

stacktrace:

0x8f1708
0x8f0f33
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 1b d8
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8f1b7b
registers.esp: 1371440
registers.edi: 1371464
registers.eax: 0
registers.ebp: 1371476
registers.edx: 195
registers.ebx: 1371732
registers.esi: 44215548
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 76 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02020000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73142000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f5b000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7414a000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 5, 2021, 10:04 a.m.	process_identifier: 1972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7403f000 process_handle: 0xffffffff	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0012fc00', u'virtual_address': u'0x00002000', u'entropy': 7.922618213094956, u'name': u'.text', u'virtual_size': u'0x0012fa9c'}

entropy

7.92261821309

description

A section with a high entropy has been found

entropy

0.928899082569

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 5, 2021, 9:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 5, 2021, 10:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 5, 2021, 9:53 a.m.	status_code: 0xffffffff process_identifier: 732 process_handle: 0x00000294		0	0
NtTerminateProcess Oct. 5, 2021, 9:53 a.m.	status_code: 0xffffffff process_identifier: 732 process_handle: 0x00000294	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 732 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 1972 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 5, 2021, 10:05 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegAsm.exe tried to sleep 8184580 seconds, actually delayed analysis time by 8184580 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bdjdjd

reg_value

"C:\Users\test22\AppData\Local\bdjdjd.exe"

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 manipulating memory of non-child process 732
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 732 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELåLZaàVÞt @ À@tS H.textäT V `.rsrcX@@.reloc \@B base_address: 0x00400000 process_identifier: 1972 process_handle: 0x00000290	1	1
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: 0HX¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNamexusJwoyqIYckLpfSsabQdCaMjZcBLOQSLqRY.exe(LegalCopyright \|)OriginalFilenamexusJwoyqIYckLpfSsabQdCaMjZcBLOQSLqRY.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x00438000 process_identifier: 1972 process_handle: 0x00000290	1	1
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: pà4 base_address: 0x0043a000 process_identifier: 1972 process_handle: 0x00000290	1	1
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1972 process_handle: 0x00000290	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELåLZaàVÞt @ À@tS H.textäT V `.rsrcX@@.reloc \@B base_address: 0x00400000 process_identifier: 1972 process_handle: 0x00000290	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 called NtSetContextThread to modify thread in remote process 1972
NtSetContextThread Oct. 5, 2021, 9:53 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4420830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000294 process_identifier: 1972	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 resumed a thread in remote process 1972
NtResumeThread Oct. 5, 2021, 9:53 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1972	1	0	0

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 5, 2021, 9:53 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Oct. 5, 2021, 9:53 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Oct. 5, 2021, 9:53 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2232	1	0
CreateProcessInternalW Oct. 5, 2021, 9:53 a.m.	thread_identifier: 2868 thread_handle: 0x00000288 process_identifier: 732 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\RegAsm.exe gedhhds filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtGetContextThread Oct. 5, 2021, 9:53 a.m.	thread_handle: 0x00000288	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 732 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496
CreateProcessInternalW Oct. 5, 2021, 9:53 a.m.	thread_identifier: 3008 thread_handle: 0x00000294 process_identifier: 1972 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\RegAsm.exe gedhhds filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000290	1	1
NtGetContextThread Oct. 5, 2021, 9:53 a.m.	thread_handle: 0x00000294	1	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 1972 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELåLZaàVÞt @ À@tS H.textäT V `.rsrcX@@.reloc \@B base_address: 0x00400000 process_identifier: 1972 process_handle: 0x00000290	1	1
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: base_address: 0x00402000 process_identifier: 1972 process_handle: 0x00000290	1	1
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: 0HX¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNamexusJwoyqIYckLpfSsabQdCaMjZcBLOQSLqRY.exe(LegalCopyright \|)OriginalFilenamexusJwoyqIYckLpfSsabQdCaMjZcBLOQSLqRY.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x00438000 process_identifier: 1972 process_handle: 0x00000290	1	1
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: pà4 base_address: 0x0043a000 process_identifier: 1972 process_handle: 0x00000290	1	1
WriteProcessMemory Oct. 5, 2021, 9:53 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1972 process_handle: 0x00000290	1	1
NtSetContextThread Oct. 5, 2021, 9:53 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4420830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000294 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 9:53 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:04 a.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:04 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:04 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:05 a.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:05 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:05 a.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:05 a.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:05 a.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 1972	1	0
NtResumeThread Oct. 5, 2021, 10:05 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 1972	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.MSIL.Seraph.a!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Mardom.MN.10
FireEye	Generic.mg.4848485b65241043
ALYac	Gen:Trojan.Mardom.MN.10
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Alibaba	Trojan:Win32/Maldoc.ali2000008
CrowdStrike	win/malicious_confidence_80% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34170.rn0@aO7Incf
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.IYM
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Generic-7113183-0
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Trojan.Mardom.MN.10
Avast	FileRepMalware
Ad-Aware	Gen:Trojan.Mardom.MN.10
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Gen:Trojan.Mardom.MN.10 (B)
GData	MSIL.Trojan-Stealer.AgentTesla.7ODVZJ
Avira	HEUR/AGEN.1142543
MAX	malware (ai score=100)
Arcabit	Trojan.Mardom.MN.10
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 99)
McAfee	Artemis!4848485B6524
TrendMicro-HouseCall	TROJ_FRS.VSNW04J21
Ikarus	Trojan.MSIL.Krypt
eGambit	Trojan.Generic
Fortinet	MSIL/GenKryptik.FLOC!tr
Webroot	W32.Trojan.Gen
AVG	FileRepMalware
Panda	Trj/GdSda.A

princehfzx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All