Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 12, 2021, 6:41 p.m.	Oct. 12, 2021, 6:43 p.m.

Size	751.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8338edb0559c1e6136c6bb061cbcff77`
SHA256	`1088f315a8018b011b062618e873498827faefc0d24e9bcf62492c1dd56bf1a2`
CRC32	`79F77C14`
ssdeep	`12288:Ck85MKcjpID7T5yZHhk2HYMizNh/b9qVQdV2k8hGTcguDdSB4h3Hv:j2/cc7T5EHhr2zNlb9qudV2NhiWMB43P`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

LIST-TM~20098736536093876.exe "C:\Users\test22\AppData\Local\Temp\LIST-TM~20098736536093876.exe"
2132
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAJLitAUN" /XML "C:\Users\test22\AppData\Local\Temp\tmp15ED.tmp"
  2212
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2820
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp187D.tmp"
    1928
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1949.tmp"
    2576

Name	Response	Post-Analysis Lookup
1116.hopto.org	A 185.140.53.9	185.140.53.9

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.140.53.9	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49172 -> 185.140.53.9:1116	2025019	ET MALWARE Possible NanoCore C2 60B	Malware Command and Control Activity Detected
UDP 192.168.56.102:64995 -> 8.8.8.8:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 12, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 12, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 12, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 12, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 12, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 12, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 12, 2021, 6:42 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 12, 2021, 6:41 p.m.			0	0
IsDebuggerPresent Oct. 12, 2021, 6:41 p.m.			0	0
IsDebuggerPresent Oct. 12, 2021, 6:42 p.m.			0	0
IsDebuggerPresent Oct. 12, 2021, 6:42 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 12, 2021, 6:42 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 12, 2021, 6:42 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 12, 2021, 6:42 p.m.	buffer: SUCCESS: The scheduled task "SMTP Host" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 12, 2021, 6:42 p.m.	buffer: SUCCESS: The scheduled task "SMTP Host Task" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 12, 2021, 6:41 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 12, 2021, 6:42 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72cb1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72b82ba1 mscorlib+0x2f1378 @ 0x71e31378 mscorlib+0x355fec @ 0x71e95fec mscorlib+0x32d99a @ 0x71e6d99a mscorlib+0x32d54b @ 0x71e6d54b 0x57b4f5 0x578b16 0x578a07 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72b81838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72b81737 mscorlib+0x305edf @ 0x71e45edf mscorlib+0x2e9e1b @ 0x71e29e1b mscorlib+0x2e99c1 @ 0x71e299c1 mscorlib+0x2de184 @ 0x71e1e184 0x578512 0x577e25 0x5707f3 0x570614 system+0xaac56b @ 0x7104c56b system+0x1fe5cb @ 0x7079e5cb system+0x1fe55e @ 0x7079e55e system+0x1fe4a3 @ 0x7079e4a3 mscorlib+0x302367 @ 0x71e42367 mscorlib+0x3022a6 @ 0x71e422a6 mscorlib+0x302261 @ 0x71e42261 system+0x1fe431 @ 0x7079e431 system+0x1fe237 @ 0x7079e237 system+0x1ee37d @ 0x7078e37d system+0x1f70ea @ 0x707970ea system+0x1e56c0 @ 0x707856c0 system+0x1f6e10 @ 0x70796e10 system+0x1ee251 @ 0x7078e251 system+0x1ee229 @ 0x7078e229 system+0x1ee170 @ 0x7078e170 0x3ea08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a system+0x2093cc @ 0x707a93cc system+0x1fdca1 @ 0x7079dca1 system+0x1fd921 @ 0x7079d921 system+0x1fd792 @ 0x7079d792 system+0x1a14bd @ 0x707414bd 0x5701ba DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1564876 registers.edi: 0 registers.eax: 1564876 registers.ebp: 1564956 registers.edx: 0 registers.ebx: 8363960 registers.esi: 7940096 registers.ecx: 192108531	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 12, 2021, 6:42 p.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72cb1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72b82ba1
mscorlib+0x2f1378 @ 0x71e31378
mscorlib+0x355fec @ 0x71e95fec
mscorlib+0x32d99a @ 0x71e6d99a
mscorlib+0x32d54b @ 0x71e6d54b
0x57b4f5
0x578b16
0x578a07
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72b81838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72b81737
mscorlib+0x305edf @ 0x71e45edf
mscorlib+0x2e9e1b @ 0x71e29e1b
mscorlib+0x2e99c1 @ 0x71e299c1
mscorlib+0x2de184 @ 0x71e1e184
0x578512
0x577e25
0x5707f3
0x570614
system+0xaac56b @ 0x7104c56b
system+0x1fe5cb @ 0x7079e5cb
system+0x1fe55e @ 0x7079e55e
system+0x1fe4a3 @ 0x7079e4a3
mscorlib+0x302367 @ 0x71e42367
mscorlib+0x3022a6 @ 0x71e422a6
mscorlib+0x302261 @ 0x71e42261
system+0x1fe431 @ 0x7079e431
system+0x1fe237 @ 0x7079e237
system+0x1ee37d @ 0x7078e37d
system+0x1f70ea @ 0x707970ea
system+0x1e56c0 @ 0x707856c0
system+0x1f6e10 @ 0x70796e10
system+0x1ee251 @ 0x7078e251
system+0x1ee229 @ 0x7078e229
system+0x1ee170 @ 0x7078e170
0x3ea08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a
system+0x2093cc @ 0x707a93cc
system+0x1fdca1 @ 0x7079dca1
system+0x1fd921 @ 0x7079d921
system+0x1fd792 @ 0x7079d792
system+0x1a14bd @ 0x707414bd
0x5701ba
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 1564876
registers.edi: 0
registers.eax: 1564876
registers.ebp: 1564956
registers.edx: 0
registers.ebx: 8363960
registers.esi: 7940096
registers.ecx: 192108531

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

1116.hopto.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 92 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70822000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:41 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2132 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02180000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAJLitAUN" /XML "C:\Users\test22\AppData\Local\Temp\tmp15ED.tmp"
cmdline	schtasks.exe /Create /TN "Updates\jAJLitAUN" /XML "C:\Users\test22\AppData\Local\Temp\tmp15ED.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1949.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp187D.tmp"

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 12, 2021, 6:42 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\jAJLitAUN" /XML "C:\Users\test22\AppData\Local\Temp\tmp15ED.tmp" filepath: schtasks.exe	1	1
CreateProcessInternalW Oct. 12, 2021, 6:42 p.m.	thread_identifier: 1828 thread_handle: 0x000002c8 process_identifier: 1928 current_directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp187D.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002cc	1	1
CreateProcessInternalW Oct. 12, 2021, 6:42 p.m.	thread_identifier: 2608 thread_handle: 0x000002c8 process_identifier: 2576 current_directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1949.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002d4	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0008dc00', u'virtual_address': u'0x00002000', u'entropy': 7.853431282144439, u'name': u'.text', u'virtual_size': u'0x0008db88'}

entropy

7.85343128214

description

A section with a high entropy has been found

entropy

0.755496335776

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 12, 2021, 6:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 12, 2021, 6:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAJLitAUN" /XML "C:\Users\test22\AppData\Local\Temp\tmp15ED.tmp"
cmdline	schtasks.exe /Create /TN "Updates\jAJLitAUN" /XML "C:\Users\test22\AppData\Local\Temp\tmp15ED.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1949.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp187D.tmp"

One or more of the buffers contains an embedded PE file (14 events)

buffer	Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3
buffer	Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer	Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer	Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer	Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer	Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer	Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer	Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer	Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer	Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000036c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 12, 2021, 6:42 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 3385650747 seconds, actually delayed analysis time by 3385650747 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host

reg_value

C:\Program Files (x86)\SMTP Host\smtphost.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp15ED.tmp

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2820 process_handle: 0x0000036c	1	1
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2820 process_handle: 0x0000036c	1	1
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2820 process_handle: 0x0000036c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2820 process_handle: 0x0000036c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2132 called NtSetContextThread to modify thread in remote process 2820
NtSetContextThread Oct. 12, 2021, 6:42 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000370 process_identifier: 2820	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2132 resumed a thread in remote process 2820
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x00000370 suspend_count: 1 process_identifier: 2820	1	0	0

Executed a process and injected code into it, probably while unpacking (35 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 12, 2021, 6:41 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2132	1	0
NtResumeThread Oct. 12, 2021, 6:41 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2132	1	0
NtResumeThread Oct. 12, 2021, 6:41 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2132	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2132	1	0
CreateProcessInternalW Oct. 12, 2021, 6:42 p.m.	thread_identifier: 1776 thread_handle: 0x00000410 process_identifier: 2212 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAJLitAUN" /XML "C:\Users\test22\AppData\Local\Temp\tmp15ED.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000404	1	1
CreateProcessInternalW Oct. 12, 2021, 6:42 p.m.	thread_identifier: 2756 thread_handle: 0x00000370 process_identifier: 2820 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000036c	1	1
NtGetContextThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x00000370	1	0
NtAllocateVirtualMemory Oct. 12, 2021, 6:42 p.m.	process_identifier: 2820 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000036c	1	0
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW Ð_ H.textÇ È `.relocÊ@B.rsrcÐ_ `Ì@@ base_address: 0x00400000 process_identifier: 2820 process_handle: 0x0000036c	1	1
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: base_address: 0x00402000 process_identifier: 2820 process_handle: 0x0000036c	1	1
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2820 process_handle: 0x0000036c	1	1
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: base_address: 0x00422000 process_identifier: 2820 process_handle: 0x0000036c	1	1
WriteProcessMemory Oct. 12, 2021, 6:42 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2820 process_handle: 0x0000036c	1	1
NtSetContextThread Oct. 12, 2021, 6:42 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000370 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x00000370 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 2132	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2820	1	0
CreateProcessInternalW Oct. 12, 2021, 6:42 p.m.	thread_identifier: 1828 thread_handle: 0x000002c8 process_identifier: 1928 current_directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp187D.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002cc	1	1
CreateProcessInternalW Oct. 12, 2021, 6:42 p.m.	thread_identifier: 2608 thread_handle: 0x000002c8 process_identifier: 2576 current_directory: C:\Windows\Microsoft.NET\Framework\v4.0.30319 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp1949.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002d4	1	1
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2820	1	0
NtGetContextThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000000e8	1	0
NtSetContextThread Oct. 12, 2021, 6:42 p.m.	registers.eip: 1924672388 registers.esp: 1565084 registers.edi: 0 registers.eax: 63152114 registers.ebp: 1565128 registers.edx: 10 registers.ebx: 38059835 registers.esi: 106 registers.ecx: 121 thread_handle: 0x000000e8 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000003cc suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:42 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:43 p.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Oct. 12, 2021, 6:43 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2820	1	0

LIST-TM~20098736536093876.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All