Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 25, 2023, 10:15 a.m.	Sept. 25, 2023, 10:18 a.m.

Size	498.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`795d3334576dc4a7e2b480e62c57fb6c`
SHA256	`be0189e9af3e8929a3f23d2077ed2a5162e4e7801386cf637d1e449a35eb0671`
CRC32	`FDD3DDAD`
ssdeep	`12288:n61FAKEbtz2RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRk:n61FFE`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

collar.exe "C:\Users\test22\AppData\Local\Temp\collar.exe"
1880
- collar.exe "C:\Users\test22\AppData\Local\Temp\collar.exe"
  2508
- cmd.exe "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost"
  2592
- cmd.exe "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\collar.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"
  2664
- cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
  2628
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
    2760

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 25, 2023, 10:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 25, 2023, 10:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 10:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2023, 10:16 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 25, 2023, 10:15 a.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 10:15 a.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 10:15 a.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 10:15 a.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 10:16 a.m.			0	0
IsDebuggerPresent Sept. 25, 2023, 10:16 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (22 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e56c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e56c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e56c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e56c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00461f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00461f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00461f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00461f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00488338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00488338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00488338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2023, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00488338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2023, 10:15 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (44 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02090000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b6f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:16 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2023, 10:16 a.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 25, 2023, 10:16 a.m.	total_number_of_free_bytes: 9934307328 free_bytes_available: 9934307328 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a suspicious process (4 events)

cmdline	"cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost"
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd" /c copy "C:\Users\test22\AppData\Local\Temp\collar.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 25, 2023, 10:15 a.m.	thread_identifier: 2596 thread_handle: 0x00000298 process_identifier: 2592 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002ac	1	1
CreateProcessInternalW Sept. 25, 2023, 10:15 a.m.	thread_identifier: 2632 thread_handle: 0x00000298 process_identifier: 2628 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1
CreateProcessInternalW Sept. 25, 2023, 10:15 a.m.	thread_identifier: 2668 thread_handle: 0x00000298 process_identifier: 2664 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\collar.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002bc	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00020e00', u'virtual_address': u'0x00002000', u'entropy': 7.382693715961748, u'name': u'.text', u'virtual_size': u'0x00020d78'}

entropy

7.38269371596

description

A section with a high entropy has been found

entropy

0.26432160804

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 25, 2023, 10:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Remote Administration toolkit using webcam	rule	RAT_WebCam
description	Run a KeyLogger	rule	KeyLogger

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost"
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0	0

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`,ßdà~þ @ à@¬O À H.text\| ~ `.rsrc @@.relocÀ@B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: 8Ph l£êl4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÌStringFileInfo¨000004b0,FileDescription 0FileVersion1.0.0.0LInternalNameXClientfresh7002.exe(LegalCopyright TOriginalFilenameXClientfresh7002.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0040a000 process_identifier: 2508 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: < base_address: 0x0040c000 process_identifier: 2508 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2508 process_handle: 0x0000027c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`,ßdà~þ @ à@¬O À H.text\| ~ `.rsrc @@.relocÀ@B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x0000027c	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Sept. 25, 2023, 10:16 a.m.	thread_identifier: 0 callback_function: 0x00ba0852 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	786877	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 called NtSetContextThread to modify thread in remote process 2508
NtSetContextThread Sept. 25, 2023, 10:15 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4234238 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 2508	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
CryptHashData Sept. 25, 2023, 10:16 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0078fe28 flags: 0	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 resumed a thread in remote process 2508
NtResumeThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2508	1	0	0

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1880	1	0
NtResumeThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1880	1	0
CreateProcessInternalW Sept. 25, 2023, 10:15 a.m.	thread_identifier: 2512 thread_handle: 0x00000278 process_identifier: 2508 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\collar.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\collar.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\collar.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtGetContextThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x00000278	1	0
NtAllocateVirtualMemory Sept. 25, 2023, 10:15 a.m.	process_identifier: 2508 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`,ßdà~þ @ à@¬O À H.text\| ~ `.rsrc @@.relocÀ@B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: base_address: 0x00402000 process_identifier: 2508 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: 8Ph l£êl4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÌStringFileInfo¨000004b0,FileDescription 0FileVersion1.0.0.0LInternalNameXClientfresh7002.exe(LegalCopyright TOriginalFilenameXClientfresh7002.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0040a000 process_identifier: 2508 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: < base_address: 0x0040c000 process_identifier: 2508 process_handle: 0x0000027c	1	1
WriteProcessMemory Sept. 25, 2023, 10:15 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2508 process_handle: 0x0000027c	1	1
NtSetContextThread Sept. 25, 2023, 10:15 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4234238 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 2508	1	0
NtResumeThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2508	1	0
CreateProcessInternalW Sept. 25, 2023, 10:15 a.m.	thread_identifier: 2596 thread_handle: 0x00000298 process_identifier: 2592 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\svchost" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002ac	1	1
CreateProcessInternalW Sept. 25, 2023, 10:15 a.m.	thread_identifier: 2632 thread_handle: 0x00000298 process_identifier: 2628 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1
CreateProcessInternalW Sept. 25, 2023, 10:15 a.m.	thread_identifier: 2668 thread_handle: 0x00000298 process_identifier: 2664 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\collar.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002bc	1	1
NtResumeThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Sept. 25, 2023, 10:15 a.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Sept. 25, 2023, 10:16 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Sept. 25, 2023, 10:16 a.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2508	1	0
NtResumeThread Sept. 25, 2023, 10:16 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 2508	1	0
CreateProcessInternalW Sept. 25, 2023, 10:15 a.m.	thread_identifier: 2764 thread_handle: 0x00000084 process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

MicroWorld-eScan	Gen:Variant.MSILHeracles.111387
FireEye	Generic.mg.795d3334576dc4a7
ALYac	Gen:Variant.MSILHeracles.111387
Malwarebytes	Trojan.Crypt.MSIL
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.MSILHeracles.D1B31B
Cyren	W32/MSIL_Kryptik.JLU.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AHUA
APEX	Malicious
Kaspersky	HEUR:Backdoor.MSIL.XWorm.gen
BitDefender	Gen:Variant.MSILHeracles.111387
Avast	RATX-gen [Trj]
Emsisoft	Gen:Variant.MSILHeracles.111387 (B)
VIPRE	Gen:Variant.MSILHeracles.111387
Trapmine	malicious.high.ml.score
Sophos	ML/PE-A
Ikarus	Trojan.MSIL.Crypt
Gridinsoft	Malware.Win32.XWorm.bot
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Backdoor.MSIL.XWorm.gen
GData	Gen:Variant.MSILHeracles.111387
Google	Detected
MAX	malware (ai score=86)
Cylance	unsafe
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:+mcSAd+MxHo4rdMsymzLAw)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AHUA!tr
BitDefenderTheta	Gen:NN.ZemsilF.36722.Fm0@aiqN0cpi
AVG	RATX-gen [Trj]
Cybereason	malicious.a6cdcf
DeepInstinct	MALICIOUS

collar.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All