Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 16, 2021, 1:38 p.m.	Oct. 16, 2021, 1:40 p.m.

Size	382.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`bc87c171c5e5c075ebcb336ca4518452`
SHA256	`bb08e42bfb63552a1af7ab0e24bb040c9f2854f2521fda176e80c80dd17beec7`
CRC32	`E156601B`
ssdeep	`6144:s5sdZMkhBwFvM6I7Qqpvp4w5uVaZ8yi6JcHWhitE4opE59yin1qYKb6qjjTwcoUx:s3SBwFvM6Ta4YF7sWhitBwEztn15KmqA`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file

DOCS-20211510-VP-KMC022021.scr "C:\Users\test22\AppData\Local\Temp\DOCS-20211510-VP-KMC022021.scr"
2504
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\DOCS-20211510-VP-KMC022021.scr"
  2324
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vlzcRkmDiOmdD" /XML "C:\Users\test22\AppData\Local\Temp\tmpDA0.tmp"
  2812
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  1632
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp1040.tmp"
    108
  - schtasks.exe "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp11F6.tmp"
    2488

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.140.53.75	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 1:38 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2021, 1:38 p.m.			0	0
IsDebuggerPresent Oct. 16, 2021, 1:38 p.m.			0	0
IsDebuggerPresent Oct. 16, 2021, 1:38 p.m.			0	0

Command line console output was observed (13 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\DOCS console_handle: 0x00000053	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: -20211510-VP-KMC022021.scr console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: SUCCESS: The scheduled task "SMTP Host" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2021, 1:38 p.m.	buffer: SUCCESS: The scheduled task "SMTP Host Task" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e51d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e56d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e5e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e50d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e50d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e50d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e50d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e50d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e50d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e50d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1:38 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e50d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2021, 1:38 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 269 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73292000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70fc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04843000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04844000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04df1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2324 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ce1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\DOCS-20211510-VP-KMC022021.scr"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp1040.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vlzcRkmDiOmdD" /XML "C:\Users\test22\AppData\Local\Temp\tmpDA0.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp11F6.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\DOCS-20211510-VP-KMC022021.scr"
cmdline	schtasks.exe /Create /TN "Updates\vlzcRkmDiOmdD" /XML "C:\Users\test22\AppData\Local\Temp\tmpDA0.tmp"

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 16, 2021, 1:38 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\DOCS-20211510-VP-KMC022021.scr" filepath: powershell	1	1
ShellExecuteExW Oct. 16, 2021, 1:38 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\vlzcRkmDiOmdD" /XML "C:\Users\test22\AppData\Local\Temp\tmpDA0.tmp" filepath: schtasks.exe	1	1
CreateProcessInternalW Oct. 16, 2021, 1:38 p.m.	thread_identifier: 2988 thread_handle: 0x00000218 process_identifier: 108 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp1040.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000021c	1	1
CreateProcessInternalW Oct. 16, 2021, 1:38 p.m.	thread_identifier: 2528 thread_handle: 0x00000218 process_identifier: 2488 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp11F6.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000290	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005ee00', u'virtual_address': u'0x00002000', u'entropy': 7.899206757272506, u'name': u'.text', u'virtual_size': u'0x0005ec08'}

entropy

7.89920675727

description

A section with a high entropy has been found

entropy

0.993455497382

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 16, 2021, 1:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2021, 1:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 16, 2021, 1:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (9 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 16, 2021, 1:38 p.m.	status_code: 0xffffffff process_identifier: 2404 process_handle: 0x0000036c		0	0
NtTerminateProcess Oct. 16, 2021, 1:38 p.m.	status_code: 0xffffffff process_identifier: 2404 process_handle: 0x0000036c	1	0	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp1040.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vlzcRkmDiOmdD" /XML "C:\Users\test22\AppData\Local\Temp\tmpDA0.tmp"
cmdline	"schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp11F6.tmp"
cmdline	schtasks.exe /Create /TN "Updates\vlzcRkmDiOmdD" /XML "C:\Users\test22\AppData\Local\Temp\tmpDA0.tmp"

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Communicates with host for which no DNS query was performed (1 event)

host

185.140.53.75

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2404 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b8		3221225496	0
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 1632 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000033c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 16, 2021, 1:38 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 2728495 seconds, actually delayed analysis time by 2728495 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host

reg_value

C:\Program Files (x86)\SMTP Host\smtphost.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp11F6.tmp

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2504 manipulating memory of non-child process 2404
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2404 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b8		3221225496	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW À_ H.textÇ È `.relocÊ@B.rsrcÀ_ `Ì@@ base_address: 0x00400000 process_identifier: 1632 process_handle: 0x0000033c	1	1
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: à7 base_address: 0x00420000 process_identifier: 1632 process_handle: 0x0000033c	1	1
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1632 process_handle: 0x0000033c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW À_ H.textÇ È `.relocÊ@B.rsrcÀ_ `Ì@@ base_address: 0x00400000 process_identifier: 1632 process_handle: 0x0000033c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2504 called NtSetContextThread to modify thread in remote process 1632
NtSetContextThread Oct. 16, 2021, 1:38 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000036c process_identifier: 1632	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2504 resumed a thread in remote process 1632
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 1632	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader43.44459
FireEye	Generic.mg.bc87c171c5e5c075
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/MSIL_Kryptik.FWF.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ADEL
APEX	Malicious
Kaspersky	UDS:Backdoor.MSIL.NanoBot.gen
Avast	Win32:MalwareX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Ikarus	Trojan-Spy.Keylogger.AgentTesla
Microsoft	Trojan:Win32/Woreflint.A!cl
Cynet	Malicious (score: 100)
McAfee	Artemis!BC87C171C5E5
Malwarebytes	MachineLearning/Anomalous.100%
SentinelOne	Static AI - Suspicious PE
Fortinet	MSIL/GenKryptik.FLEY!tr
AVG	Win32:MalwareX-gen [Trj]
MaxSecure	Trojan.Malware.300983.susgen

Executed a process and injected code into it, probably while unpacking (38 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2504	1	0
CreateProcessInternalW Oct. 16, 2021, 1:38 p.m.	thread_identifier: 2320 thread_handle: 0x000003b8 process_identifier: 2324 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\DOCS-20211510-VP-KMC022021.scr" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000036c	1	1
CreateProcessInternalW Oct. 16, 2021, 1:38 p.m.	thread_identifier: 2412 thread_handle: 0x00000334 process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vlzcRkmDiOmdD" /XML "C:\Users\test22\AppData\Local\Temp\tmpDA0.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW Oct. 16, 2021, 1:38 p.m.	thread_identifier: 2400 thread_handle: 0x00000344 process_identifier: 2404 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003b8	1	1
NtGetContextThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x00000344	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 2404 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b8		3221225496
CreateProcessInternalW Oct. 16, 2021, 1:38 p.m.	thread_identifier: 3012 thread_handle: 0x0000036c process_identifier: 1632 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000033c	1	1
NtGetContextThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x0000036c	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 1:38 p.m.	process_identifier: 1632 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000033c	1	0
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈbç @ 8çW À_ H.textÇ È `.relocÊ@B.rsrcÀ_ `Ì@@ base_address: 0x00400000 process_identifier: 1632 process_handle: 0x0000033c	1	1
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: base_address: 0x00402000 process_identifier: 1632 process_handle: 0x0000033c	1	1
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: à7 base_address: 0x00420000 process_identifier: 1632 process_handle: 0x0000033c	1	1
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: base_address: 0x00422000 process_identifier: 1632 process_handle: 0x0000033c	1	1
WriteProcessMemory Oct. 16, 2021, 1:38 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1632 process_handle: 0x0000033c	1	1
NtSetContextThread Oct. 16, 2021, 1:38 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000036c process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x00000434 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1632	1	0
CreateProcessInternalW Oct. 16, 2021, 1:38 p.m.	thread_identifier: 2988 thread_handle: 0x00000218 process_identifier: 108 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host" /xml "C:\Users\test22\AppData\Local\Temp\tmp1040.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000021c	1	1
CreateProcessInternalW Oct. 16, 2021, 1:38 p.m.	thread_identifier: 2528 thread_handle: 0x00000218 process_identifier: 2488 current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727 filepath: track: 1 command_line: "schtasks.exe" /create /f /tn "SMTP Host Task" /xml "C:\Users\test22\AppData\Local\Temp\tmp11F6.tmp" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000290	1	1
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:38 p.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:39 p.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:39 p.m.	thread_handle: 0x000003cc suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:39 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 1632	1	0
NtResumeThread Oct. 16, 2021, 1:39 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 1632	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (15 events)

dead_host	185.140.53.75:97
dead_host	192.168.56.102:49173
dead_host	192.168.56.102:49184
dead_host	192.168.56.102:49178
dead_host	192.168.56.102:49185
dead_host	192.168.56.102:49179
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49177
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49183
dead_host	192.168.56.102:49180
dead_host	192.168.56.102:49174
dead_host	192.168.56.102:49181
dead_host	192.168.56.102:49175
dead_host	192.168.56.102:49186

DOCS-20211510-VP-KMC022021.scr

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All