Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 7, 2023, 5:31 p.m.	Sept. 7, 2023, 5:49 p.m.

Size	630.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e244628c750d40509ef2e3e72e4c2049`
SHA256	`356799503f195db260e08a81d42a431b4ebd47cef94eddc96f24a0fd3e49d716`
CRC32	`0B0F16D5`
ssdeep	`12288:Etj+xbGF2Wi8qpq3ll2iEpiXH7Nu6GKy:aj0E2WNq03l0rpiXHhp`
Yara	OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

mtxRwzg.exe "C:\Users\test22\AppData\Local\Temp\mtxRwzg.exe"
2556
- mtxRwzg.exe C:\Users\test22\AppData\Local\Temp\mtxRwzg.exe
  2640
  - cmd.exe "C:\Windows\system32\cmd.exe"
    2820
  - cmd.exe "C:\Windows\system32\cmd.exe"
    2828

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 7, 2023, 5:32 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 7, 2023, 5:31 p.m.			0	0
IsDebuggerPresent Sept. 7, 2023, 5:31 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 7, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052b450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 7, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052b450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 7, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052b510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 7, 2023, 5:31 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 7, 2023, 5:31 p.m.	stacktrace: 0x2231e0e 0x20ff443 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72821838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72821737 mscorlib+0x2d3711 @ 0x71ab3711 mscorlib+0x308f2d @ 0x71ae8f2d mscorlib+0x3133fd @ 0x71af33fd 0x20f1418 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 51 f8 8a 6f 8b f8 8b ce e8 08 1c 8a 6f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2232078 registers.esp: 2025704 registers.edi: 2025764 registers.eax: 40873492 registers.ebp: 2025732 registers.edx: 40808296 registers.ebx: 2026428 registers.esi: 40894524 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 7, 2023, 5:31 p.m.

stacktrace:

0x2231e0e
0x20ff443
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72821838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72821737
mscorlib+0x2d3711 @ 0x71ab3711
mscorlib+0x308f2d @ 0x71ae8f2d
mscorlib+0x3133fd @ 0x71af33fd
0x20f1418
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 e8 51 f8 8a 6f 8b f8 8b ce e8 08 1c 8a 6f
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x2232078
registers.esp: 2025704
registers.edi: 2025764
registers.eax: 40873492
registers.ebp: 2025732
registers.edx: 40808296
registers.ebx: 2026428
registers.esi: 40894524
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 56 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02221000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02223000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02224000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02225000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02226000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02227000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02228000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02229000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

mtxRwzg.exe tried to sleep 341 seconds, actually delayed analysis time by 341 seconds

Creates a suspicious process (1 event)

cmdline

C:\Windows\System32\cmd.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (15 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000170 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000170 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000170 process_name: mtxRwzg.exe process_identifier: 2640	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000170 process_name: cmd.exe process_identifier: 2820	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000170 process_name: cmd.exe process_identifier: 2828	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000170 process_name: is32bit.exe process_identifier: 2836	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2896	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: cmd.exe process_identifier: 3012	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 3020	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 3048	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000224 process_name: cmd.exe process_identifier: 320	1	1
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000224 process_name: taskhost.exe process_identifier: 2224	1	1
Process32NextW Sept. 7, 2023, 5:33 p.m.	snapshot_handle: 0x000000e0 process_name: svchost.exe process_identifier: 2552	1	1
Process32NextW Sept. 7, 2023, 5:33 p.m.	snapshot_handle: 0x000000e0 process_name: WmiPrvSE.exe process_identifier: 648	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009ce00', u'virtual_address': u'0x00002000', u'entropy': 6.990107673724226, u'name': u'.text', u'virtual_size': u'0x0009cc74'}

entropy

6.99010767372

description

A section with a high entropy has been found

entropy

0.996822875298

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 7, 2023, 5:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 7, 2023, 5:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 224 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 3020		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000214 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 3048		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 3048		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000268 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x0000023c process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000270 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000284 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000284 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000214 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000274 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x000001cc process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x000001cc process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000224 process_name: conhost.exe process_identifier: 2984		0	0
Process32NextW Sept. 7, 2023, 5:32 p.m.	snapshot_handle: 0x00000224 process_name: conhost.exe process_identifier: 2984		0	0

Yara rule detected in process memory (10 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 8b306ac1584a8d4edd629a621e2c94e94320341d

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2640 region_size: 77824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxRwzg				reg_value	C:\Users\test22\AppData\Local\mtxRwzg.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mtxRwzg				reg_value	C:\Users\test22\AppData\Local\mtxRwzg.exe

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $n»¹Ú×AÚ×AÚ×A#¢TA+Ú×A#¢DA9Ú×AÚÖAEÚ×A1GIA+Ú×A1G}A+Ú×A1GyA8Ú×A1GJA+Ú×ARich*Ú×APELõP^à >§/ @0D"@4¤Èà¤ à.text `.rdata\| @@.data¹&°@À.relocîà @B.cdataX9ð:¦@À base_address: 0x00400000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: 0w,aîºQ Ämôjp5¥cé£d2Û¤¸ÜyéÕàÙÒ+L¶ ½\|±~-¸ç¿d·ò °jHq¹óÞA¾}ÔÚëäÝmQµÔôÇÓVlÀ¨kdzùbýìÉeO\Ùlcc=úõ È n;^iLäA`Õrqg¢Ñä<GÔKý Òkµ ¥ú¨µ5l²BÖÉ»Û@ù¼¬ãlØ2u\ßEÏ ÖÜY=Ñ«¬0Ù&:ÞQQ×ÈaÐ¿µô´!#Ä³VºÏ¥½¸¸(_²ÙÆ$é±\|o/LhX«aÁ=-f¶AÜvqÛ¼ ÒÕï±qµ¶¥ä¿3Ô¸è¢Éx4ù¨ á» j-=mld\cæôQkkbalØ0eNbòíl{¥ÁôWÄõÆÙ°ePé·ê¸¾\|¹üßÝbI-Úó\|ÓeLÔûXa²MÎQµ:t¼£â0»ÔA¥ßJ×Ø=mÄÑ¤ûôÖÓjéiCüÙn4FgÐ¸`Ús-Då3_L ªÉ\| Ý<qPªA'¾ É%µhW³o Ôf¹äaÎùÞ^ÉÙ)"Ð°´¨×Ç=³Y ´.;\½·lºÀ ¸í¶³¿â¶Ò±t9GÕê¯wÒ&ÛÜscã;d>jm ¨ZjzÏäÿ '® ±}DðÒ£hòþÂi]Wb÷Ëgeq6lçknvÔþà+ÓZzÚÌJÝgoß¹ùùï¾C¾·Õ°`è£ÖÖ~Ñ¡ÄÂØ8RòßOñg»ÑgW¼¦Ýµ?K6²HÚ+ ØL ¯öJ6`zAÃï`ßUßg¨ïn1y¾iF³aËf¼ Òo%6âhRwÌG»¹"/&U¾;ºÅ(½²Z´+j³\§ÿ×Â1ÏÐµÙ,®Þ[°Âd&òcì£ju m© ?6ëgrWJ¿z¸â®+±{8¶Ò ¾Õå·ïÜ\|!ßÛÔÒÓBâÔñø³ÝhnÚÍ¾[&¹öáw°owG·æZpjÿÊ;f\ÿei®bøÓÿkaEÏlxâ îÒ ×TNÂ³9a&g§÷`ÐMGiIÛwn>JjÑ®ÜZÖÙfß@ð;Ø7S®¼©Å»ÞÏ²Géÿµ0ò½½ÂºÊ0³S¦£´$6Ðº×Í)WÞT¿gÙ#.zf³¸JaÄh]+o7¾´¡ÃßZï-ð£@Ü£@ø;X9êsaÇIå(z$äLy(û4vSPøoQ>DK base_address: 0x0040b000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: L0i0t01þ23«3È3ñ34F4M4]4ª4Í4Ô4ä4v7ì8::9;m;G<v<Ó<ï<5=Å=h>>@?\|?å? 0H0`0Î0û0(1¼1×12Z3ú344F4T4\4t444¦44ú4±6r77¯7÷7828ú89:&:I:Y:d:x::¶:;U<<=O=W==²=Ý=ù=)>G>©>¶>Ñ>è>?$?3?:????°?02´2¼2 3]3Í3Ö3ì3[4d44¦4»4Å4ß435B5©7Â7Ê7ô788²8Å8ó8(959999F:b:{:¨:´:[;;V<¤<Ì<Õ<é<ï<= =#=/==£=×=Þ=ð=>/>D>Z>a>>>Û>??è?õ?@(001I1P11£1Ø1ã2333·3Q4X4g4µ4Ó45555>6P6W6ã697L7¥7¯7ü7&8 99S9:W:s:z:¥:´:Ç:ß:;<C<µ<Ö<â<ù<===©=³=>:>@>j>x>>Ø>ß> ?/?>?X?? ?·?PtD00Ý0î0111~11¤1Ë1å1a2s2ä2ÿ2)343}333¨3Û3ð3ø3!4545 5«5Í5?7H7w7¦7»7Í7ì8ô8M9l9u999:æ:;±=È=6>>¯>Ì>ß>`ô 0r0}0[3´4Ô4Ü4ã465<5N55555¤5Ñ5þ5+6f6r6\|66¦6³6'707@7P7^777¥7³7û788$8/8\|888¥8°8999£9®9µ9Ä9Ë9Í:Ô:á:í:ü:;;;7;@;M;Y;t;};;;³;¼;É;Ô;ï;ø;<<<3<@<L<e<l<y<<º<Ä<Ñ<Ý<ì<õ<==)=2=?=K=f=o=\|===©=½=Í=ç=ó=>>0>>>R>c>>>>¬>õ?ü?p¼ 00/060C0O0^0j0w000§0·0Ã0Û0ä0ð0ü01 1-181R1[1h1t111¥1±1Ñ1Ý1ê1õ122262H2Q2^2j2222ª2¹2Ë2ß2ó233+3;3P3e3u333§3»3Ì3¥7í7ô7û78 888%8+81878=8G8U8^8g8v88888¦8¸8¿8Ò8î8`Ð3~5555ª5µ5À5Ë5ò5æ67õ7878^88¯8:9h9d::¾:å:;A;~;ë;<Õ<ó<A>[>q>> >²>Ú>ð>ÿ>??? O0V0n0u000©0°0ù45 55°44 base_address: 0x0040e000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2640 process_handle: 0x0000027c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $n»¹Ú×AÚ×AÚ×A#¢TA+Ú×A#¢DA9Ú×AÚÖAEÚ×A1GIA+Ú×A1G}A+Ú×A1GyA8Ú×A1GJA+Ú×ARich*Ú×APELõP^à >§/ @0D"@4¤Èà¤ à.text `.rdata\| @@.data¹&°@À.relocîà @B.cdataX9ð:¦@À base_address: 0x00400000 process_identifier: 2640 process_handle: 0x0000027c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2640
NtSetContextThread Sept. 7, 2023, 5:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4206503 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2640	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2640
NtResumeThread Sept. 7, 2023, 5:31 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2640	1	0	0

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 7, 2023, 5:31 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Sept. 7, 2023, 5:31 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Sept. 7, 2023, 5:31 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2556	1	0
CreateProcessInternalW Sept. 7, 2023, 5:31 p.m.	thread_identifier: 2644 thread_handle: 0x00000274 process_identifier: 2640 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\mtxRwzg.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtGetContextThread Sept. 7, 2023, 5:31 p.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory Sept. 7, 2023, 5:31 p.m.	process_identifier: 2640 region_size: 77824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $n»¹Ú×AÚ×AÚ×A#¢TA+Ú×A#¢DA9Ú×AÚÖAEÚ×A1GIA+Ú×A1G}A+Ú×A1GyA8Ú×A1GJA+Ú×ARich*Ú×APELõP^à >§/ @0D"@4¤Èà¤ à.text `.rdata\| @@.data¹&°@À.relocîà @B.cdataX9ð:¦@À base_address: 0x00400000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: base_address: 0x00401000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: base_address: 0x0040a000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: 0w,aîºQ Ämôjp5¥cé£d2Û¤¸ÜyéÕàÙÒ+L¶ ½\|±~-¸ç¿d·ò °jHq¹óÞA¾}ÔÚëäÝmQµÔôÇÓVlÀ¨kdzùbýìÉeO\Ùlcc=úõ È n;^iLäA`Õrqg¢Ñä<GÔKý Òkµ ¥ú¨µ5l²BÖÉ»Û@ù¼¬ãlØ2u\ßEÏ ÖÜY=Ñ«¬0Ù&:ÞQQ×ÈaÐ¿µô´!#Ä³VºÏ¥½¸¸(_²ÙÆ$é±\|o/LhX«aÁ=-f¶AÜvqÛ¼ ÒÕï±qµ¶¥ä¿3Ô¸è¢Éx4ù¨ á» j-=mld\cæôQkkbalØ0eNbòíl{¥ÁôWÄõÆÙ°ePé·ê¸¾\|¹üßÝbI-Úó\|ÓeLÔûXa²MÎQµ:t¼£â0»ÔA¥ßJ×Ø=mÄÑ¤ûôÖÓjéiCüÙn4FgÐ¸`Ús-Då3_L ªÉ\| Ý<qPªA'¾ É%µhW³o Ôf¹äaÎùÞ^ÉÙ)"Ð°´¨×Ç=³Y ´.;\½·lºÀ ¸í¶³¿â¶Ò±t9GÕê¯wÒ&ÛÜscã;d>jm ¨ZjzÏäÿ '® ±}DðÒ£hòþÂi]Wb÷Ëgeq6lçknvÔþà+ÓZzÚÌJÝgoß¹ùùï¾C¾·Õ°`è£ÖÖ~Ñ¡ÄÂØ8RòßOñg»ÑgW¼¦Ýµ?K6²HÚ+ ØL ¯öJ6`zAÃï`ßUßg¨ïn1y¾iF³aËf¼ Òo%6âhRwÌG»¹"/&U¾;ºÅ(½²Z´+j³\§ÿ×Â1ÏÐµÙ,®Þ[°Âd&òcì£ju m© ?6ëgrWJ¿z¸â®+±{8¶Ò ¾Õå·ïÜ\|!ßÛÔÒÓBâÔñø³ÝhnÚÍ¾[&¹öáw°owG·æZpjÿÊ;f\ÿei®bøÓÿkaEÏlxâ îÒ ×TNÂ³9a&g§÷`ÐMGiIÛwn>JjÑ®ÜZÖÙfß@ð;Ø7S®¼©Å»ÞÏ²Géÿµ0ò½½ÂºÊ0³S¦£´$6Ðº×Í)WÞT¿gÙ#.zf³¸JaÄh]+o7¾´¡ÃßZï-ð£@Ü£@ø;X9êsaÇIå(z$äLy(û4vSPøoQ>DK base_address: 0x0040b000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: L0i0t01þ23«3È3ñ34F4M4]4ª4Í4Ô4ä4v7ì8::9;m;G<v<Ó<ï<5=Å=h>>@?\|?å? 0H0`0Î0û0(1¼1×12Z3ú344F4T4\4t444¦44ú4±6r77¯7÷7828ú89:&:I:Y:d:x::¶:;U<<=O=W==²=Ý=ù=)>G>©>¶>Ñ>è>?$?3?:????°?02´2¼2 3]3Í3Ö3ì3[4d44¦4»4Å4ß435B5©7Â7Ê7ô788²8Å8ó8(959999F:b:{:¨:´:[;;V<¤<Ì<Õ<é<ï<= =#=/==£=×=Þ=ð=>/>D>Z>a>>>Û>??è?õ?@(001I1P11£1Ø1ã2333·3Q4X4g4µ4Ó45555>6P6W6ã697L7¥7¯7ü7&8 99S9:W:s:z:¥:´:Ç:ß:;<C<µ<Ö<â<ù<===©=³=>:>@>j>x>>Ø>ß> ?/?>?X?? ?·?PtD00Ý0î0111~11¤1Ë1å1a2s2ä2ÿ2)343}333¨3Û3ð3ø3!4545 5«5Í5?7H7w7¦7»7Í7ì8ô8M9l9u999:æ:;±=È=6>>¯>Ì>ß>`ô 0r0}0[3´4Ô4Ü4ã465<5N55555¤5Ñ5þ5+6f6r6\|66¦6³6'707@7P7^777¥7³7û788$8/8\|888¥8°8999£9®9µ9Ä9Ë9Í:Ô:á:í:ü:;;;7;@;M;Y;t;};;;³;¼;É;Ô;ï;ø;<<<3<@<L<e<l<y<<º<Ä<Ñ<Ý<ì<õ<==)=2=?=K=f=o=\|===©=½=Í=ç=ó=>>0>>>R>c>>>>¬>õ?ü?p¼ 00/060C0O0^0j0w000§0·0Ã0Û0ä0ð0ü01 1-181R1[1h1t111¥1±1Ñ1Ý1ê1õ122262H2Q2^2j2222ª2¹2Ë2ß2ó233+3;3P3e3u333§3»3Ì3¥7í7ô7û78 888%8+81878=8G8U8^8g8v88888¦8¸8¿8Ò8î8`Ð3~5555ª5µ5À5Ë5ò5æ67õ7878^88¯8:9h9d::¾:å:;A;~;ë;<Õ<ó<A>[>q>> >²>Ú>ð>ÿ>??? O0V0n0u000©0°0ù45 55°44 base_address: 0x0040e000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: base_address: 0x0040f000 process_identifier: 2640 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 7, 2023, 5:31 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2640 process_handle: 0x0000027c	1	1
NtSetContextThread Sept. 7, 2023, 5:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4206503 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 2640	1	0
NtResumeThread Sept. 7, 2023, 5:31 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Sept. 7, 2023, 5:31 p.m.	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Sept. 7, 2023, 5:32 p.m.	thread_identifier: 2824 thread_handle: 0x00000140 process_identifier: 2820 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000144	1	1
CreateProcessInternalW Sept. 7, 2023, 5:32 p.m.	thread_identifier: 2832 thread_handle: 0x0000014c process_identifier: 2828 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000148	1	1

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

tehtris	Generic.Malware
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Zusy.483237
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.c00580
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Kaspersky	UDS:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Variant.Zusy.483237
MicroWorld-eScan	Gen:Variant.Zusy.483237
Avast	Win32:RansomX-gen [Ransom]
Emsisoft	Gen:Variant.Zusy.483237 (B)
VIPRE	Gen:Variant.Zusy.483237
McAfee-GW-Edition	BehavesLike.Win32.Generic.jh
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.e244628c750d4050
SentinelOne	Static AI - Malicious PE
GData	Gen:Variant.Zusy.483237
Arcabit	Trojan.Zusy.D75FA5
ZoneAlarm	UDS:Trojan-Downloader.MSIL.Seraph.gen
Microsoft	Ransom:Win32/Genasom
Google	Detected
McAfee	Artemis!E244628C750D
MAX	malware (ai score=89)
Malwarebytes	Trojan.Crypt.MSIL
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilF.36662.Nm0@a8Bxtrh
AVG	Win32:RansomX-gen [Ransom]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

mtxRwzg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All