Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 23, 2025, 6:26 a.m.	Jan. 23, 2025, 6:29 a.m.

Size	93.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e9987ac76debe4d7c754f30cec95d618`
SHA256	`56510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1`
CRC32	`2B6C31C5`
ssdeep	`1536:GYqUZFRPmGvMzLsvOnjEwzGi1dDvDogS:GYRRPmGvMzIvOMi1dXR`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

mod.exe "C:\Users\test22\AppData\Local\Temp\mod.exe"
1872
- server.exe "C:\Users\test22\AppData\Roaming\server.exe"
  2168
  - netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Roaming\server.exe" "server.exe" ENABLE
    2456

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 22, 2025, 1:47 p.m.			0	0
IsDebuggerPresent Jan. 22, 2025, 1:48 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Jan. 22, 2025, 1:48 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA Jan. 22, 2025, 1:48 p.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 22, 2025, 1:48 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 22, 2025, 1:48 p.m.	stacktrace: CorExitProcess+0xe931 GetCLRFunction-0x1d566 mscorwks+0x12129f @ 0x73f8129f CorExitProcess+0xed0c GetCLRFunction-0x1d18b mscorwks+0x12167a @ 0x73f8167a mscorlib+0x226f2c @ 0x721a6f2c system+0x5bfb4c @ 0x7339fb4c system+0x5bf4ec @ 0x7339f4ec system+0x58391f @ 0x7336391f system+0x585a14 @ 0x73365a14 system+0x5838cd @ 0x733638cd system+0x5ada48 @ 0x7338da48 mscorlib+0x1e843f @ 0x7216843f mscorlib+0x1e83ab @ 0x721683ab CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e61b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e78dde CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x73e793cb CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x73e7940c CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x73e79479 CreateAssemblyNameObject+0xccc6 DllRegisterServerInternal-0x345d mscorwks+0x52e09 @ 0x73eb2e09 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73eb192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73eb18cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73eb17f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73eb197d CreateAssemblyNameObject+0xc655 DllRegisterServerInternal-0x3ace mscorwks+0x52798 @ 0x73eb2798 CreateAssemblyNameObject+0xcc46 DllRegisterServerInternal-0x34dd mscorwks+0x52d89 @ 0x73eb2d89 CreateAssemblyNameObject+0xcc75 DllRegisterServerInternal-0x34ae mscorwks+0x52db8 @ 0x73eb2db8 CreateAssemblyNameObject+0xcd1b DllRegisterServerInternal-0x3408 mscorwks+0x52e5e @ 0x73eb2e5e CreateAssemblyNameObject+0xc9dd DllRegisterServerInternal-0x3746 mscorwks+0x52b20 @ 0x73eb2b20 CreateAssemblyNameObject+0xc2ef DllRegisterServerInternal-0x3e34 mscorwks+0x52432 @ 0x73eb2432 GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73fc805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 102560260 registers.edi: 0 registers.eax: 102560260 registers.ebp: 102560340 registers.edx: 0 registers.ebx: 64 registers.esi: 8128592 registers.ecx: 1944785264	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 22, 2025, 1:48 p.m.

stacktrace:

CorExitProcess+0xe931 GetCLRFunction-0x1d566 mscorwks+0x12129f @ 0x73f8129f
CorExitProcess+0xed0c GetCLRFunction-0x1d18b mscorwks+0x12167a @ 0x73f8167a
mscorlib+0x226f2c @ 0x721a6f2c
system+0x5bfb4c @ 0x7339fb4c
system+0x5bf4ec @ 0x7339f4ec
system+0x58391f @ 0x7336391f
system+0x585a14 @ 0x73365a14
system+0x5838cd @ 0x733638cd
system+0x5ada48 @ 0x7338da48
mscorlib+0x1e843f @ 0x7216843f
mscorlib+0x1e83ab @ 0x721683ab
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73e61b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73e78dde
CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x73e793cb
CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x73e7940c
CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x73e79479
CreateAssemblyNameObject+0xccc6 DllRegisterServerInternal-0x345d mscorwks+0x52e09 @ 0x73eb2e09
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x73eb192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x73eb18cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x73eb17f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x73eb197d
CreateAssemblyNameObject+0xc655 DllRegisterServerInternal-0x3ace mscorwks+0x52798 @ 0x73eb2798
CreateAssemblyNameObject+0xcc46 DllRegisterServerInternal-0x34dd mscorwks+0x52d89 @ 0x73eb2d89
CreateAssemblyNameObject+0xcc75 DllRegisterServerInternal-0x34ae mscorwks+0x52db8 @ 0x73eb2db8
CreateAssemblyNameObject+0xcd1b DllRegisterServerInternal-0x3408 mscorwks+0x52e5e @ 0x73eb2e5e
CreateAssemblyNameObject+0xc9dd DllRegisterServerInternal-0x3746 mscorwks+0x52b20 @ 0x73eb2b20
CreateAssemblyNameObject+0xc2ef DllRegisterServerInternal-0x3e34 mscorwks+0x52432 @ 0x73eb2432
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x73fc805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 102560260
registers.edi: 0
registers.eax: 102560260
registers.ebp: 102560340
registers.edx: 0
registers.ebx: 64
registers.esi: 8128592
registers.ecx: 1944785264

Allocates read-write-execute memory (usually to unpack itself) (50 out of 55 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 22, 2025, 1:47 p.m.	process_identifier: 1872 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:47 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:47 p.m.	process_identifier: 1872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74021000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:47 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:47 p.m.	process_identifier: 1872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74022000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:47 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 1872 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:48 p.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates an autorun.inf file (1 event)

file	C:\autorun.inf

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\server.exe

Creates hidden or system file (3 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Jan. 22, 2025, 1:48 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\server.exe filepath: C:\Users\test22\AppData\Roaming\server.exe	1	1
SetFileAttributesW Jan. 22, 2025, 1:48 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\autorun.inf filepath: C:\autorun.inf	1	1
SetFileAttributesW Jan. 22, 2025, 1:48 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Umbrella.flv.exe filepath: C:\Umbrella.flv.exe	1	1

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 22, 2025, 1:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

netsh firewall add allowedprogram "C:\Users\test22\AppData\Roaming\server.exe" "server.exe" ENABLE

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 22, 2025, 1:48 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

server.exe tried to sleep 2728175 seconds, actually delayed analysis time by 2728175 seconds

Executed a process and injected code into it, probably while unpacking (50 out of 56 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 22, 2025, 1:47 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1872	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1872	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 1872	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 1872	1	0
CreateProcessInternalW Jan. 22, 2025, 1:48 p.m.	thread_identifier: 2172 thread_handle: 0x000003c4 process_identifier: 2168 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\server.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\server.exe" filepath_r: C:\Users\test22\AppData\Roaming\server.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003cc	1	1
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2168	1	0
CreateProcessInternalW Jan. 22, 2025, 1:48 p.m.	thread_identifier: 2460 thread_handle: 0x0000026c process_identifier: 2456 current_directory: filepath: track: 1 command_line: netsh firewall add allowedprogram "C:\Users\test22\AppData\Roaming\server.exe" "server.exe" ENABLE filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000270	1	1
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x0000032c	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x0000032c	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtSetContextThread Jan. 22, 2025, 1:48 p.m.	registers.eip: 1945638515 registers.esp: 102560456 registers.edi: 49208848 registers.eax: 10 registers.ebp: 102560500 registers.edx: 22 registers.ebx: 0 registers.esi: 49208904 registers.ecx: 89 thread_handle: 0x00000318 process_identifier: 2168	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000000d8	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000000d8	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x0000032c	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x0000032c	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0
NtResumeThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2168	1	0
NtGetContextThread Jan. 22, 2025, 1:48 p.m.	thread_handle: 0x00000318	1	0

mod.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All