Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 6, 2021, 1:24 p.m.	Oct. 6, 2021, 1:46 p.m.

Size	1.5MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ee98c1f6708926a136a805fa80652733`
SHA256	`ae2a26a5e871dbc441b4e9560820a311f8db50ebcacb2b451838d8ff71d42b93`
CRC32	`93A91B75`
ssdeep	`3072:VRv6fym3lbuDonmi5gQMC3qf2umy4TkvGTKwBQ1gHbvS9U+Z92PkrC08PrPduww+:efT`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

2145457315.exe "C:\Users\test22\AppData\Local\Temp\2145457315.exe"
2444
- 2145457315.exe C:\Users\test22\AppData\Local\Temp\2145457315.exe
  2264
  - 2145457315.exe C:\Users\test22\AppData\Local\Temp\2145457315.exe
    2408

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
116.202.11.15	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2021, 1:24 p.m.			0	0
IsDebuggerPresent Oct. 6, 2021, 1:24 p.m.			0	0
IsDebuggerPresent Oct. 6, 2021, 1:24 p.m.			0	0
IsDebuggerPresent Oct. 6, 2021, 1:24 p.m.			0	0
IsDebuggerPresent Oct. 6, 2021, 1:24 p.m.			0	0
IsDebuggerPresent Oct. 6, 2021, 1:24 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a08c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005913b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005913b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2021, 1:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00591430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2021, 1:24 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 6, 2021, 1:24 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x32d2ae @ 0x6ff6d2ae mscorlib+0x32d233 @ 0x6ff6d233 mscorlib+0x32d12a @ 0x6ff6d12a system+0x1d2c4e @ 0x72182c4e 0x840f59 system+0x1d2c4e @ 0x72182c4e 0x840bcf 0x840246 0x8400ee DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2 CoUninitializeEE+0xa85a CreateAssemblyNameObject-0x33fb clr+0x2a09e @ 0x7276a09e CoUninitializeEE+0xa8be CreateAssemblyNameObject-0x3397 clr+0x2a102 @ 0x7276a102 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1829168 registers.edi: 0 registers.eax: 1829168 registers.ebp: 1829248 registers.edx: 0 registers.ebx: 3307952 registers.esi: 2955656 registers.ecx: 1291093010	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 6, 2021, 1:24 p.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x32d2ae @ 0x6ff6d2ae
mscorlib+0x32d233 @ 0x6ff6d233
mscorlib+0x32d12a @ 0x6ff6d12a
system+0x1d2c4e @ 0x72182c4e
0x840f59
system+0x1d2c4e @ 0x72182c4e
0x840bcf
0x840246
0x8400ee
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2
CoUninitializeEE+0xa85a CreateAssemblyNameObject-0x33fb clr+0x2a09e @ 0x7276a09e
CoUninitializeEE+0xa8be CreateAssemblyNameObject-0x3397 clr+0x2a102 @ 0x7276a102
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1829168
registers.edi: 0
registers.eax: 1829168
registers.ebp: 1829248
registers.edx: 0
registers.ebx: 3307952
registers.esi: 2955656
registers.ecx: 1291093010

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 78 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02060000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0086f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00801000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00802000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2408 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 6, 2021, 1:24 p.m.	status_code: 0xffffffff process_identifier: 668 process_handle: 0x00000204		0	0
NtTerminateProcess Oct. 6, 2021, 1:24 p.m.	status_code: 0xffffffff process_identifier: 668 process_handle: 0x00000204	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

116.202.11.15

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 466944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 668 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204		3221225496
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2408 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	1	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2264 manipulating memory of non-child process 668
NtUnmapViewOfSection Oct. 6, 2021, 1:24 p.m.	base_address: 0x00400000 region_size: 53248 process_identifier: 668 process_handle: 0x00000204	3221225497	0
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 668 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	3221225496	0

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥¶þà0¸^Ö à@ @ÖKà¬ H.textd¶ ¸ `.rsrc¬àº@@.reloc¾@B base_address: 0x00400000 process_identifier: 2264 process_handle: 0x00000220	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: 0HXàTT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameAmaracuses.exe(LegalCopyright FOriginalFilenameAmaracuses.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x0046e000 process_identifier: 2264 process_handle: 0x00000220	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: Ð`6 base_address: 0x00470000 process_identifier: 2264 process_handle: 0x00000220	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2264 process_handle: 0x00000220	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL©Íþà0¸âÅ à@ @ÅOàÜÈðtÅ H.textð· ¸ `.rsrcÜà¼@@.relocÄ@B base_address: 0x00400000 process_identifier: 2408 process_handle: 0x00000204	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: P8hÜàLL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0<InternalNameAddlement.exe(LegalCopyright DOriginalFilenameAddlement.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ìâêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041e000 process_identifier: 2408 process_handle: 0x00000204	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: Àä5 base_address: 0x00420000 process_identifier: 2408 process_handle: 0x00000204	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2408 process_handle: 0x00000204	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥¶þà0¸^Ö à@ @ÖKà¬ H.textd¶ ¸ `.rsrc¬àº@@.reloc¾@B base_address: 0x00400000 process_identifier: 2264 process_handle: 0x00000220	1	1	0
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL©Íþà0¸âÅ à@ @ÅOàÜÈðtÅ H.textð· ¸ `.rsrcÜà¼@@.relocÄ@B base_address: 0x00400000 process_identifier: 2408 process_handle: 0x00000204	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 called NtSetContextThread to modify thread in remote process 2264
Process injection	Process 2264 called NtSetContextThread to modify thread in remote process 2408
NtSetContextThread Oct. 6, 2021, 1:24 p.m.	registers.eip: 2000355780 registers.esp: 1964072 registers.edi: 0 registers.eax: 4642398 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 2264	1	0	0
NtSetContextThread Oct. 6, 2021, 1:24 p.m.	registers.eip: 2000355780 registers.esp: 1376036 registers.edi: 0 registers.eax: 4310498 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000200 process_identifier: 2408	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 resumed a thread in remote process 2264
Process injection	Process 2264 resumed a thread in remote process 2408
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2264	1	0	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2408	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

116.202.11.15:24147

Executed a process and injected code into it, probably while unpacking (40 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x000000ec	1	0
NtSetContextThread Oct. 6, 2021, 1:24 p.m.	registers.eip: 1920740228 registers.esp: 1829376 registers.edi: 58810367 registers.eax: 16711767 registers.ebp: 1829392 registers.edx: 0 registers.ebx: 58741744 registers.esi: 57745056 registers.ecx: -16754944 thread_handle: 0x000000ec process_identifier: 2444	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2444	1	0
CreateProcessInternalW Oct. 6, 2021, 1:24 p.m.	thread_identifier: 2800 thread_handle: 0x0000021c process_identifier: 2264 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\2145457315.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000220	1	1
NtUnmapViewOfSection Oct. 6, 2021, 1:24 p.m.	base_address: 0x00400000 region_size: 5505024 process_identifier: 2264 process_handle: 0x00000220		3221225497
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2264 region_size: 466944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥¶þà0¸^Ö à@ @ÖKà¬ H.textd¶ ¸ `.rsrc¬àº@@.reloc¾@B base_address: 0x00400000 process_identifier: 2264 process_handle: 0x00000220	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: base_address: 0x00402000 process_identifier: 2264 process_handle: 0x00000220	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: 0HXàTT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameAmaracuses.exe(LegalCopyright FOriginalFilenameAmaracuses.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x0046e000 process_identifier: 2264 process_handle: 0x00000220	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: Ð`6 base_address: 0x00470000 process_identifier: 2264 process_handle: 0x00000220	1	1
NtGetContextThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x0000021c	1	0
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2264 process_handle: 0x00000220	1	1
NtSetContextThread Oct. 6, 2021, 1:24 p.m.	registers.eip: 2000355780 registers.esp: 1964072 registers.edi: 0 registers.eax: 4642398 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 2264	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2264	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2264	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2264	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2264	1	0
CreateProcessInternalW Oct. 6, 2021, 1:24 p.m.	thread_identifier: 2932 thread_handle: 0x00000200 process_identifier: 668 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\2145457315.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000204	1	1
NtUnmapViewOfSection Oct. 6, 2021, 1:24 p.m.	base_address: 0x00400000 region_size: 53248 process_identifier: 668 process_handle: 0x00000204		3221225497
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 668 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204		3221225496
CreateProcessInternalW Oct. 6, 2021, 1:24 p.m.	thread_identifier: 3028 thread_handle: 0x00000200 process_identifier: 2408 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\2145457315.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000204	1	1
NtUnmapViewOfSection Oct. 6, 2021, 1:24 p.m.	base_address: 0x00400000 region_size: 5505024 process_identifier: 2408 process_handle: 0x00000204		3221225497
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2408 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	1	0
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL©Íþà0¸âÅ à@ @ÅOàÜÈðtÅ H.textð· ¸ `.rsrcÜà¼@@.relocÄ@B base_address: 0x00400000 process_identifier: 2408 process_handle: 0x00000204	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: base_address: 0x00402000 process_identifier: 2408 process_handle: 0x00000204	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: P8hÜàLL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0<InternalNameAddlement.exe(LegalCopyright DOriginalFilenameAddlement.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ìâêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041e000 process_identifier: 2408 process_handle: 0x00000204	1	1
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: Àä5 base_address: 0x00420000 process_identifier: 2408 process_handle: 0x00000204	1	1
NtGetContextThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x00000200	1	0
WriteProcessMemory Oct. 6, 2021, 1:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2408 process_handle: 0x00000204	1	1
NtSetContextThread Oct. 6, 2021, 1:24 p.m.	registers.eip: 2000355780 registers.esp: 1376036 registers.edi: 0 registers.eax: 4310498 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000200 process_identifier: 2408	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Oct. 6, 2021, 1:24 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2408	1	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.PackedNET.972
MicroWorld-eScan	Trojan.Generic.30205242
FireEye	Generic.mg.ee98c1f6708926a1
CAT-QuickHeal	Trojanpws.Msil
ALYac	Trojan.Generic.30205242
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0057fbdb1 )
BitDefender	Trojan.Generic.30205242
K7GW	Trojan ( 0057fbdb1 )
Cybereason	malicious.3a4b98
BitDefenderTheta	Gen:NN.ZemsilF.34170.Hn0@aybxjWc
Cyren	W32/MSIL_Kryptik.FNI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ACCF
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Reline.gen
Alibaba	Trojan:Win32/Kryptik.ali2000016
NANO-Antivirus	Trojan.Win32.Kryptik.jcjjla
SUPERAntiSpyware	Trojan.Agent/Gen-Falint[Cont]
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Trojan.Generic.30205242
Sophos	ML/PE-A
Emsisoft	Trojan.Generic.30205242 (B)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_100%
Avira	HEUR/AGEN.1144480
Microsoft	Trojan:MSIL/AgentTesla.JPX!MTB
GData	MSIL.Trojan-Stealer.Redline.I816PD
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4628732
McAfee	GenericRXPZ-PJ!EE98C1F67089
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Crypt.MSIL.Generic
TrendMicro-HouseCall	TROJ_GEN.R06CC0DIO21
Ikarus	Trojan.MSIL.Crypt
Fortinet	MSIL/Kryptik.ACCF!tr
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)

2145457315.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All