Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 18, 2021, 7:47 a.m.	Nov. 18, 2021, 7:58 a.m.

Size	683.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`36a3565a279b5e9a93d057c91a233e8a`
SHA256	`11d1ed0f2ae0672dfebd099ddd152d37089e302d164063998974fbfbfca6161d`
CRC32	`CA52937B`
ssdeep	`12288:etJFzs1yqUebJDzNULkwQoXw6RYW4M7e7WL9x8kb/iZeNd2XAL4kXwI6:etJFzswEdckZZK4ml`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

stan.jpg "C:\Users\test22\AppData\Local\Temp\stan.jpg"
2408
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdGKendez" /XML "C:\Users\test22\AppData\Local\Temp\tmpF2BC.tmp"
  2760
- stan.jpg "{path}"
  2824

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 18, 2021, 7:47 a.m.			0	0
IsDebuggerPresent Nov. 18, 2021, 7:47 a.m.			0	0
IsDebuggerPresent Nov. 18, 2021, 7:47 a.m.			0	0
IsDebuggerPresent Nov. 18, 2021, 7:47 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 18, 2021, 7:47 a.m.	buffer: SUCCESS: The scheduled task "Updates\FdGKendez" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 18, 2021, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00563ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00563f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 7:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00563f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 7:47 a.m.		1	1	0

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Nov. 18, 2021, 7:47 a.m.	stacktrace: 0x701790 0x700fbb DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7390264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x739b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x701c03 registers.esp: 2355936 registers.edi: 2355960 registers.eax: 0 registers.ebp: 2355972 registers.edx: 195 registers.ebx: 2356220 registers.esi: 39583732 registers.ecx: 0	1
__exception__ Nov. 18, 2021, 7:49 a.m.	stacktrace: 0x706ace 0x70151a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7390264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x739b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 51 f8 be 70 exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x70f46f registers.esp: 2354676 registers.edi: 0 registers.eax: 39879544 registers.ebp: 2354724 registers.edx: 39879544 registers.ebx: 39878776 registers.esi: 39878584 registers.ecx: 1895909778	1
__exception__ Nov. 18, 2021, 7:49 a.m.	stacktrace: 0x707030 0x70151a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7390264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x739b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 39 09 e8 d9 6a f9 6e 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x22ea00c registers.esp: 2354660 registers.edi: 2354708 registers.eax: 0 registers.ebp: 2354724 registers.edx: 2354628 registers.ebx: 39723492 registers.esi: 39725640 registers.ecx: 0	1
__exception__ Nov. 18, 2021, 7:49 a.m.	stacktrace: 0x7072f4 0x70151a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7390264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x739b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 39 09 e8 2e 3f f9 6e 83 78 04 00 0f 84 3c 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x22ecbb7 registers.esp: 2354644 registers.edi: 2354708 registers.eax: 0 registers.ebp: 2354724 registers.edx: 2354612 registers.ebx: 39723492 registers.esi: 39725640 registers.ecx: 0	1
__exception__ Nov. 18, 2021, 7:49 a.m.	stacktrace: 0x7073d6 0x70151a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7390264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x739b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x22ed381 registers.esp: 2354672 registers.edi: 2354712 registers.eax: 3 registers.ebp: 2354724 registers.edx: 0 registers.ebx: 39723492 registers.esi: 40313488 registers.ecx: 0	1
__exception__ Nov. 18, 2021, 7:49 a.m.	stacktrace: 0x70151a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738f2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7390264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73902e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739b74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x739b7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a41dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a41e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a41f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a4416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f9f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [eax + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7074ea registers.esp: 2354732 registers.edi: 40324752 registers.eax: 0 registers.ebp: 2356008 registers.edx: 40324752 registers.ebx: 0 registers.esi: 0 registers.ecx: 39068304	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 145 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00627000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00628000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e201a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e201c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e9af8e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e9af82 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e66af0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e66b14 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e66b1c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e66b20 process_handle: 0xffffffff		3221225550

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\FdGKendez.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdGKendez" /XML "C:\Users\test22\AppData\Local\Temp\tmpF2BC.tmp"
cmdline	schtasks.exe /Create /TN "Updates\FdGKendez" /XML "C:\Users\test22\AppData\Local\Temp\tmpF2BC.tmp"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\FdGKendez.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 18, 2021, 7:47 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\FdGKendez" /XML "C:\Users\test22\AppData\Local\Temp\tmpF2BC.tmp" filepath: schtasks.exe	1	1	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Nov. 18, 2021, 7:47 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\\tmpG546.tmp flags: 8 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\stan.jpg newfilepath: C:\Users\test22\AppData\Local\Temp\tmpG546.tmp oldfilepath: C:\Users\test22\AppData\Local\Temp\stan.jpg	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000aa400', u'virtual_address': u'0x00002000', u'entropy': 7.0581467220329825, u'name': u'.text', u'virtual_size': u'0x000aa374'}

entropy

7.05814672203

description

A section with a high entropy has been found

entropy

0.997071742313

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 18, 2021, 7:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdGKendez" /XML "C:\Users\test22\AppData\Local\Temp\tmpF2BC.tmp"
cmdline	schtasks.exe /Create /TN "Updates\FdGKendez" /XML "C:\Users\test22\AppData\Local\Temp\tmpF2BC.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2824 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000440	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 18, 2021, 7:47 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

stan.jpg tried to sleep 10912881 seconds, actually delayed analysis time by 10912881 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects virtualization software with SCSI Disk Identifier trick(s) (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\newapp

reg_value

C:\Users\test22\AppData\Roaming\newapp\newapp.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpF2BC.tmp

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL&aàXþu @ À@¨uS8 H.textV X `.rsrc8Z@@.reloc `@B base_address: 0x00400000 process_identifier: 2824 process_handle: 0x00000440	1	1
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: 8Ph ¤Hê¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h#InternalNameodOWHpagGTKVHAHdmwQHXhCIyxQYXl.exe(LegalCopyright p#OriginalFilenameodOWHpagGTKVHAHdmwQHXhCIyxQYXl.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2824 process_handle: 0x00000440	1	1
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: p6 base_address: 0x0043a000 process_identifier: 2824 process_handle: 0x00000440	1	1
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2824 process_handle: 0x00000440	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL&aàXþu @ À@¨uS8 H.textV X `.rsrc8Z@@.reloc `@B base_address: 0x00400000 process_identifier: 2824 process_handle: 0x00000440	1	1	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.36a3565a279b5e9a
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (D)
Cyren	W32/MSIL_Kryptik.GCK.gen!Eldorado
Symantec	Trojan.Formbook
APEX	Malicious
Kaspersky	VHO:Trojan.MSIL.Taskun.gen
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Fareit.jc
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
VBA32	CIL.HeapOverride.Heur
Fortinet	MSIL/GenKryptik.FNNT!tr
BitDefenderTheta	Gen:NN.ZemsilF.34266.Qm0@a4HAEud
Cybereason	malicious.a6a0c7
MaxSecure	Trojan.Malware.300983.susgen

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2408 called NtSetContextThread to modify thread in remote process 2824
NtSetContextThread Nov. 18, 2021, 7:47 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421118 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000444 process_identifier: 2824	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2408 resumed a thread in remote process 2824
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2824	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions

Detects VMWare through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Nov. 18, 2021, 7:47 a.m.	ordinal: 0 function_address: 0x0018d324 function_name: wine_get_unix_file_name module: KERNEL32 module_address: 0x76860000		3221225785	0

Executed a process and injected code into it, probably while unpacking (30 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 2408	1	0
NtGetContextThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2408	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 2408	1	0
CreateProcessInternalW Nov. 18, 2021, 7:47 a.m.	thread_identifier: 2764 thread_handle: 0x0000047c process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdGKendez" /XML "C:\Users\test22\AppData\Local\Temp\tmpF2BC.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW Nov. 18, 2021, 7:47 a.m.	thread_identifier: 2828 thread_handle: 0x00000444 process_identifier: 2824 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\stan.jpg track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\stan.jpg stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000440	1	1
NtGetContextThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000444	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:47 a.m.	process_identifier: 2824 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000440	1	0
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL&aàXþu @ À@¨uS8 H.textV X `.rsrc8Z@@.reloc `@B base_address: 0x00400000 process_identifier: 2824 process_handle: 0x00000440	1	1
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: base_address: 0x00402000 process_identifier: 2824 process_handle: 0x00000440	1	1
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: 8Ph ¤Hê¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h#InternalNameodOWHpagGTKVHAHdmwQHXhCIyxQYXl.exe(LegalCopyright p#OriginalFilenameodOWHpagGTKVHAHdmwQHXhCIyxQYXl.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2824 process_handle: 0x00000440	1	1
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: p6 base_address: 0x0043a000 process_identifier: 2824 process_handle: 0x00000440	1	1
WriteProcessMemory Nov. 18, 2021, 7:47 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2824 process_handle: 0x00000440	1	1
NtSetContextThread Nov. 18, 2021, 7:47 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421118 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000444 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:48 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:48 a.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread Nov. 18, 2021, 7:48 a.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 2824	1	0

stan.jpg

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All