popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ma.exe

UPX Malicious Library Malicious Packer Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug PE64 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 27, 2024, 10:08 a.m. June 27, 2024, 10:13 a.m.
Size 5.0MB
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 a3fb2b623f4490ae1979fea68cfe36d6
SHA256 3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
CRC32 CC54CC45
ssdeep 98304:xrd0tlZ+I89l7cGcGI4G/Mul2rq/aReDkizMeQUz4:x+tlQ4zGk/Mul2rVe4iwVU
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "ERGVRDVMSK" has successfully been created.
console_handle: 0x0000000000000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name ACTIONS
resource name AFX_DIALOG_LAYOUT
resource name TYPELIB
resource name None
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x7fe93a3b111
0x7fe93a2cf9a
0x7fe93a2ce9f
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef30bf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef30bf242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef30bf30b
_CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef325721c
_CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef3257976
_CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef3257870
_CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef32573e6
_CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef325733e
_CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef3253ed4
_CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef4e874e5
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef4f25b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 80 3b 00 48 8b d0 48 8b cb e8 51 60 54 5e 0f b6
exception.instruction: cmp byte ptr [rbx], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe93a3b111
registers.r14: 0
registers.r15: 0
registers.rcx: 52171400
registers.rsi: 0
registers.r10: 8796092039192
registers.rbx: 0
registers.rsp: 5635920
registers.r11: 52171400
registers.r8: 0
registers.r9: 0
registers.rdx: 52171400
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 52172768
registers.r13: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000aa0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef406b000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000029c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef39d4000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9423a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9424c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe94390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe94316000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe942f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9424d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe94391000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9423b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9439b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9439c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9424a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9425b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9428c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9425d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe94232000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000008d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2316000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9439d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe9439e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe943aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe94450000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name AFX_DIALOG_LAYOUT language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004b5808 size 0x00000002
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004bbbdc size 0x00000144
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004bbbdc size 0x00000144
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004bbbdc size 0x00000144
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x004bbbdc size 0x00000144
name None language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x00502c38 size 0x00000065
name None language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x00502c38 size 0x00000065
name None language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x00502c38 size 0x00000065
name None language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x00502c38 size 0x00000065
name None language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x00502ca0 size 0x00000024
file C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
file C:\Users\test22\AppData\Local\Temp\tmp21CB.tmp.bat
cmdline cmd /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
cmdline schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2824
thread_handle: 0x0000000000000214
process_identifier: 2820
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\tmp21CB.tmp.bat"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000000000000022c
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
filepath: cmd
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000000832000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x004b0000', u'virtual_address': u'0x00002000', u'entropy': 7.631268535130734, u'name': u'.text', u'virtual_size': u'0x004afe30'} entropy 7.63126853513 description A section with a high entropy has been found
entropy 0.936859568654 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
url http://ocsp.digicert.com0C
url http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
url http://ocsp.digicert.com0A
url http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
url http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
url http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
url http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
url http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
url http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
url http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
url https://www.security.us.panasonic.com
url http://www.digicert.com/CPS0
url http://ocsp.digicert.com0
url http://ocsp.digicert.com0X
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
cmdline cmd /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
cmdline schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
cmdline cmd /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
cmdline schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
file C:\Users\test22\AppData\Local\Temp\tmp21CB.tmp.bat
file C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Process injection Process 2820 resumed a thread in remote process 2956
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000000000006c
suspend_count: 0
process_identifier: 2956
1 0 0
Bkav W64.AIDetectMalware.CS
Lionic Trojan.Win32.XMRig.4!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh Artemis!Trojan
ALYac Gen:Variant.MSILHeracles.145614
Cylance Unsafe
VIPRE Gen:Variant.MSILHeracles.145614
Sangfor CoinMiner.Msil.Xmrig.Vasq
K7AntiVirus Trojan ( 005b059d1 )
BitDefender Gen:Variant.MSILHeracles.145614
K7GW Trojan ( 005b059d1 )
Cybereason malicious.23f449
Arcabit Trojan.MSILHeracles.D238CE
VirIT Trojan.Win64.CoinMiner.D
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 a variant of MSIL/CoinMiner.BWR
McAfee Artemis!A3FB2B623F44
Avast Win64:CoinminerX-gen [Trj]
Kaspersky HEUR:Trojan.Win32.Generic
Alibaba Trojan:MSIL/XMRig.89791cc6
NANO-Antivirus Trojan.Win64.Nekark.kipbkc
MicroWorld-eScan Gen:Variant.MSILHeracles.145614
Rising Malware.Obfus/MSIL@AI.86 (RDM.MSIL2:AHmBSCGz3TCvY5jWwPclbQ)
Emsisoft Gen:Variant.MSILHeracles.145614 (B)
F-Secure Trojan.TR/AD.Nekark.ehqbu
DrWeb Trojan.Siggen25.48191
Zillya Trojan.Generic.Win32.1861576
TrendMicro TROJ_GEN.R03BC0XBE24
McAfeeD ti!3BC9C1D7F87F
FireEye Generic.mg.a3fb2b623f4490ae
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Xmrig
Webroot W32.Trojan.Gen
Google Detected
Avira TR/AD.Nekark.ehqbu
MAX malware (ai score=87)
Antiy-AVL Trojan/MSIL.CoinMiner
Kingsoft Win32.Trojan.Generic.a
Gridinsoft Ransom.Win64.Sabsik.cl
Xcitium Malware@#1hon5dlb0a1cq
Microsoft Trojan:MSIL/XMRig.A!MTB
ViRobot Trojan.Win.Z.Agent.5246976
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Gen:Variant.MSILHeracles.145614
Varist W64/MSIL_Agent.HHG.gen!Eldorado
AhnLab-V3 Trojan/Win.Generic.R635999
DeepInstinct MALICIOUS
VBA32 Trojan.Sabsik.FL