Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 7, 2023, 5:24 p.m.	June 7, 2023, 5:27 p.m.

Size	571.5KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`58a91896eaf6efe03ffe6ebb7b731792`
SHA256	`dc984e3a8de291d49bab5940b8f8047d2a7d8f0dab4231342c36edcee9cbb92e`
CRC32	`79A736B4`
ssdeep	`12288:OBm+u0O5pDETlQ6ocFa59nBTDvdeLu3jaLWGaGAXd:uzAgQ6Y59hDvdeLuTwK`
PDB Path	NBNNhH873.pdb
Yara	IsPE64 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT ConfuserEx_Zero - Confuser .NET PE_Header_Zero - PE File Signature

nevv.exe "C:\Users\test22\AppData\Local\Temp\nevv.exe"
524
- aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2112

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.65.134.166	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2023, 5:24 p.m.			0	0
IsDebuggerPresent June 7, 2023, 5:24 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

NBNNhH873.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2023, 5:24 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 64 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bf0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3641000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3cdb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3644000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3644000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3644000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3644000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ead000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eaf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fdb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0008e600', u'virtual_address': u'0x00002000', u'entropy': 7.511239938683684, u'name': u'.text', u'virtual_size': u'0x0008e440'}

entropy

7.51123993868

description

A section with a high entropy has been found

entropy

0.997373029772

description

Overall entropy of this PE file is high

Yara rule detected in process memory (21 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (1 event)

host

185.65.134.166

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 2112 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000220	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp@NÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc@NpPì@@.reloc¬:À<<@B base_address: 0x0000000000400000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥FQ<A¦F÷>A¦F<AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x000000000046f000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: base_address: 0x0000000000475000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: V$;$>))>h)>ÙØ>Û\|&Êkk_)ÞãÍã AHA>>Ðu#u")î(^ø¥òîWFCùCùi>lÀ©ªQÏB/öC 'vµ¹E*$L<T b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0000000000476000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2112 process_handle: 0x0000000000000220	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp@NÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc@NpPì@@.reloc¬:À<<@B base_address: 0x0000000000400000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 524 resumed a thread in remote process 2112
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 2112	1	0	0

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 524	1	0
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 524	1	0
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 524	1	0
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x00000000000001e0 suspend_count: 1 process_identifier: 524	1	0
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x00000000000001f4 suspend_count: 1 process_identifier: 524	1	0
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x0000000000000208 suspend_count: 1 process_identifier: 524	1	0
NtGetContextThread June 7, 2023, 5:24 p.m.	thread_handle: 0x0000000000000208	1	0
NtGetContextThread June 7, 2023, 5:24 p.m.	thread_handle: 0x0000000000000208	1	0
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x0000000000000208 suspend_count: 1 process_identifier: 524	1	0
CreateProcessInternalW June 7, 2023, 5:24 p.m.	thread_identifier: 2116 thread_handle: 0x000000000000021c process_identifier: 2112 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000220	1	1
NtAllocateVirtualMemory June 7, 2023, 5:24 p.m.	process_identifier: 2112 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000220	1	0
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp@NÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc@NpPì@@.reloc¬:À<<@B base_address: 0x0000000000400000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: base_address: 0x0000000000401000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: base_address: 0x0000000000457000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥FQ<A¦F÷>A¦F<AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x000000000046f000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: base_address: 0x0000000000475000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: V$;$>))>h)>ÙØ>Û\|&Êkk_)ÞãÍã AHA>>Ðu#u")î(^ø¥òîWFCùCùi>lÀ©ªQÏB/öC 'vµ¹E*$L<T b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0000000000476000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: base_address: 0x0000000000477000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: base_address: 0x000000000047c000 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
WriteProcessMemory June 7, 2023, 5:24 p.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2112 process_handle: 0x0000000000000220	1	1
NtResumeThread June 7, 2023, 5:24 p.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 2112	1	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Remcos.4!c
MicroWorld-eScan	Gen:Variant.Cerbu.180493
FireEye	Gen:Variant.Cerbu.180493
McAfee	Artemis!58A91896EAF6
Malwarebytes	Trojan.MalPack
VIPRE	Gen:Variant.Cerbu.180493
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0059d5f51 )
Alibaba	Backdoor:MSIL/Remcos.cc9629f1
K7GW	Trojan ( 0059d5f51 )
Arcabit	Trojan.Cerbu.D2C10D
VirIT	Trojan.Win64.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AHQJ
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.MSIL.Remcos.gen
BitDefender	Gen:Variant.Cerbu.180493
Avast	Win64:PWSX-gen [Trj]
Tencent	Msil.Backdoor.Remcos.Hmnw
Emsisoft	Gen:Variant.Cerbu.180493 (B)
F-Secure	Trojan.TR/Kryptik.svxvp
McAfee-GW-Edition	BehavesLike.Win64.Keylog.hc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.FL
Avira	TR/Kryptik.svxvp
MAX	malware (ai score=85)
Gridinsoft	Trojan.Win64.Remcos.bot
Microsoft	Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm	HEUR:Backdoor.MSIL.Remcos.gen
GData	Gen:Variant.Cerbu.180493
Google	Detected
AhnLab-V3	Trojan/Win.Injection.C5438104
Acronis	suspicious
ALYac	Gen:Variant.Cerbu.180493
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0CF623
Rising	Malware.Obfus/MSIL@AI.86 (RDM.MSIL2:Z1mB02R8pUyLwPp0ZZzOQQ)
Ikarus	Trojan.Inject
Fortinet	MSIL/Kryptik.AHQB!tr
AVG	Win64:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

nevv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All