Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 26, 2023, 6:16 p.m.	May 26, 2023, 6:18 p.m.

Size	987.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`03dc66eb73f94113115e145a35599724`
SHA256	`43c39e05ae59835e16df8bd732cd035292db70bc2c2d6d95ac354622bfa376ec`
CRC32	`77C9C919`
ssdeep	`12288:97z5GoJiGaq5auiuHeSV0TL4X10nL8BeBQe90wgYlS+al1JiWYyn54FVHmSI9/VQ:55GoR5aQT0aqF2euimJiWYI4E1OaWoW`
PDB Path	obrg.pdb
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

plugmanzx.exe "C:\Users\test22\AppData\Local\Temp\plugmanzx.exe"
3040
- plugmanzx.exe "C:\Users\test22\AppData\Local\Temp\plugmanzx.exe"
  1728

Name	Response	Post-Analysis Lookup
seanblacin.sytes.net	A 109.206.243.174	109.206.243.174
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
109.206.243.174	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 109.206.243.174:6110	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.102:49166 109.206.243.174:6110	None	None	None

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 26, 2023, 6:16 p.m.			0	0
IsDebuggerPresent May 26, 2023, 6:16 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

obrg.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 26, 2023, 6:16 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

seanblacin.sytes.net

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (45 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:16 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00613000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00614000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00616000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bbf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00617000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00618000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00619000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05671000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 3040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

plugmanzx.exe tried to sleep 266 seconds, actually delayed analysis time by 266 seconds

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000f4800', u'virtual_address': u'0x00002000', u'entropy': 7.86302612784864, u'name': u'.text', u'virtual_size': u'0x000f4608'}

entropy

7.86302612785

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002200', u'virtual_address': u'0x000f8000', u'entropy': 7.231803284908004, u'name': u'.rsrc', u'virtual_size': u'0x00002034'}

entropy

7.23180328491

description

A section with a high entropy has been found

entropy

0.999493414387

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 26, 2023, 6:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (21 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (6 events)

Time & API	Arguments	Status
NtTerminateProcess May 26, 2023, 6:17 p.m.	status_code: 0xffffffff process_identifier: 1652 process_handle: 0x000002a4
NtTerminateProcess May 26, 2023, 6:17 p.m.	status_code: 0xffffffff process_identifier: 1652 process_handle: 0x000002a4	1
NtTerminateProcess May 26, 2023, 6:17 p.m.	status_code: 0xffffffff process_identifier: 2512 process_handle: 0x000002b4
NtTerminateProcess May 26, 2023, 6:17 p.m.	status_code: 0xffffffff process_identifier: 2512 process_handle: 0x000002b4	1
NtTerminateProcess May 26, 2023, 6:17 p.m.	status_code: 0xffffffff process_identifier: 756 process_handle: 0x000002bc
NtTerminateProcess May 26, 2023, 6:17 p.m.	status_code: 0xffffffff process_identifier: 756 process_handle: 0x000002bc	1

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 1652 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0		3221225496
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 2512 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ac		3221225496
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 756 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0		3221225496
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 1728 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 3040 manipulating memory of non-child process 1652
Process injection	Process 3040 manipulating memory of non-child process 2512
Process injection	Process 3040 manipulating memory of non-child process 756
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 1652 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0	3221225496	0
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 2512 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ac	3221225496	0
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 756 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0	3221225496	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp<KÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc<KpLì@@.reloc¬:À<8@B base_address: 0x00400000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥FQ<A¦F÷>A¦F<AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x0046f000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: base_address: 0x00475000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: V$;$>))>h)>ÙØ>Û\|&Êkk_)ÞãÍã AHA>>Ðu#u")î(^ø¥òîWFCùCùi>lÀ©ªQÏB/öC 'vµ¹E*$L<T b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00476000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1728 process_handle: 0x000002b8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp<KÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc<KpLì@@.reloc¬:À<8@B base_address: 0x00400000 process_identifier: 1728 process_handle: 0x000002b8	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 26, 2023, 6:17 p.m.	thread_identifier: 0 callback_function: 0x004098a7 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	2032053	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 called NtSetContextThread to modify thread in remote process 1728
NtSetContextThread May 26, 2023, 6:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4403962 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002bc process_identifier: 1728	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 resumed a thread in remote process 1728
NtResumeThread May 26, 2023, 6:17 p.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 1728	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

McAfee	Artemis!03DC66EB73F9
Malwarebytes	MachineLearning/Anomalous.93%
Sangfor	Trojan.Win32.Agent.Vnf5
BitDefenderTheta	Gen:NN.ZemsilF.36196.9m0@a4Cswxi
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Scr.Malcode!gdn34
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:PWSX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Malware.Gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cylance	unsafe
Panda	Trj/Chgt.AD
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenericKD.66824822!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (D)

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
NtResumeThread May 26, 2023, 6:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread May 26, 2023, 6:16 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread May 26, 2023, 6:16 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread May 26, 2023, 6:17 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 3040	1	0
CreateProcessInternalW May 26, 2023, 6:17 p.m.	thread_identifier: 1604 thread_handle: 0x0000029c process_identifier: 1652 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\plugmanzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\plugmanzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a0	1	1
NtGetContextThread May 26, 2023, 6:17 p.m.	thread_handle: 0x0000029c	1	0
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 1652 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0		3221225496
CreateProcessInternalW May 26, 2023, 6:17 p.m.	thread_identifier: 236 thread_handle: 0x000002a4 process_identifier: 2512 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\plugmanzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\plugmanzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtGetContextThread May 26, 2023, 6:17 p.m.	thread_handle: 0x000002a4	1	0
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 2512 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ac		3221225496
CreateProcessInternalW May 26, 2023, 6:17 p.m.	thread_identifier: 1704 thread_handle: 0x000002b4 process_identifier: 756 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\plugmanzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\plugmanzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtGetContextThread May 26, 2023, 6:17 p.m.	thread_handle: 0x000002b4	1	0
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 756 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0		3221225496
CreateProcessInternalW May 26, 2023, 6:17 p.m.	thread_identifier: 572 thread_handle: 0x000002bc process_identifier: 1728 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\plugmanzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\plugmanzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtGetContextThread May 26, 2023, 6:17 p.m.	thread_handle: 0x000002bc	1	0
NtAllocateVirtualMemory May 26, 2023, 6:17 p.m.	process_identifier: 1728 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp<KÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc<KpLì@@.reloc¬:À<8@B base_address: 0x00400000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: base_address: 0x00401000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: base_address: 0x00457000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥FQ<A¦F÷>A¦F<AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x0046f000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: base_address: 0x00475000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: V$;$>))>h)>ÙØ>Û\|&Êkk_)ÞãÍã AHA>>Ðu#u")î(^ø¥òîWFCùCùi>lÀ©ªQÏB/öC 'vµ¹E*$L<T b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00476000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: base_address: 0x00477000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: base_address: 0x0047c000 process_identifier: 1728 process_handle: 0x000002b8	1	1
WriteProcessMemory May 26, 2023, 6:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1728 process_handle: 0x000002b8	1	1
NtSetContextThread May 26, 2023, 6:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4403962 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002bc process_identifier: 1728	1	0
NtResumeThread May 26, 2023, 6:17 p.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 1728	1	0

plugmanzx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All