Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	March 17, 2021, 11:01 p.m.	March 17, 2021, 11:04 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ce0f93d2bb7f18632d6695cf4800f436`
SHA256	`9624e9bf93ace2e4b9106fb1b30c1dfb9de68bf63f4fb9559f11078569fbe334`
CRC32	`BAA4DC95`
ssdeep	`6144:QVUWkqsPUI4MZEDjklKbkAtG17jBH6Em5lUTpwXHxCJfvELiC:QhkqsP`
Yara	PE_Header_Zero - PE File Signature Zero Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check

1488.txt "C:\Users\Administrator\AppData\Local\Temp\1488.txt"
3092
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
  2244
  - timeout.exe timeout 1
    2544
- 1488.txt "C:\Users\Administrator\AppData\Local\Temp\1488.txt"
  3848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.194.11.64	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 17, 2021, 10:57 p.m.	computer_name: WIN7-PC	1	1	0
GetComputerNameW March 17, 2021, 10:57 p.m.	computer_name: WIN7-PC	1	1	0

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2021, 10:57 p.m.			0	0
IsDebuggerPresent March 17, 2021, 10:57 p.m.			0	0
IsDebuggerPresent March 17, 2021, 10:57 p.m.			0	0
IsDebuggerPresent March 17, 2021, 10:57 p.m.			0	0
IsDebuggerPresent March 17, 2021, 10:57 p.m.			0	0
IsDebuggerPresent March 17, 2021, 10:57 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 17, 2021, 10:57 p.m.	buffer: 초 기다리는 중, 계속하려면 아무 키가 누르십시오 ... console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey March 17, 2021, 10:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b9d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 17, 2021, 10:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b9db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 17, 2021, 10:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b9db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 17, 2021, 10:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006623d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 17, 2021, 10:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006623d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 17, 2021, 10:57 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00662458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 17, 2021, 10:57 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 17, 2021, 10:57 p.m.	stacktrace: 0x8aa434 0x8a9967 0x8a6267 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a152652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a16264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6a1d1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6a1d1737 mscorlib+0x2d3711 @ 0x60993711 mscorlib+0x308f2d @ 0x609c8f2d mscorlib+0x2cb060 @ 0x6098b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a152652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a16264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6a1d1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6a1d1737 mscorlib+0x2d36ad @ 0x609936ad mscorlib+0x308f2d @ 0x609c8f2d microsoft+0x50c17 @ 0x656b0c17 microsoft+0x3f33f @ 0x6569f33f microsoft+0x3edf8 @ 0x6569edf8 microsoft+0x3e3b9 @ 0x6569e3b9 microsoft+0x17e980 @ 0x657de980 0x8f0116 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a152652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a16264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6a1d1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6a1d1737 mscorlib+0xb2496c @ 0x611e496c mscorlib+0x2cb060 @ 0x6098b060 0x8a5dd0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a152652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a16264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6a162e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6a2174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6a217610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6a2a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6a2a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6a2a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6a2a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x706bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70737f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70734de3 RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5 RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8 exception.instruction_r: 0f bf 01 eb 31 8d 55 e0 0f b6 01 88 02 0f b6 41 exception.instruction: movsx eax, word ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0x305ad2 exception.address: 0x609c5ad2 registers.esp: 1498468 registers.edi: 1498492 registers.eax: 0 registers.ebp: 1498504 registers.edx: 0 registers.ebx: 41036808 registers.esi: 10551370 registers.ecx: 10551370	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 17, 2021, 10:57 p.m.

stacktrace:

0x8aa434
0x8a9967
0x8a6267
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a152652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a16264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6a1d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6a1d1737
mscorlib+0x2d3711 @ 0x60993711
mscorlib+0x308f2d @ 0x609c8f2d
mscorlib+0x2cb060 @ 0x6098b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a152652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a16264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6a1d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6a1d1737
mscorlib+0x2d36ad @ 0x609936ad
mscorlib+0x308f2d @ 0x609c8f2d
microsoft+0x50c17 @ 0x656b0c17
microsoft+0x3f33f @ 0x6569f33f
microsoft+0x3edf8 @ 0x6569edf8
microsoft+0x3e3b9 @ 0x6569e3b9
microsoft+0x17e980 @ 0x657de980
0x8f0116
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a152652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a16264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6a1d1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6a1d1737
mscorlib+0xb2496c @ 0x611e496c
mscorlib+0x2cb060 @ 0x6098b060
0x8a5dd0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a152652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a16264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6a162e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6a2174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6a217610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6a2a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6a2a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6a2a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6a2a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x706bf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70737f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70734de3
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8

exception.instruction_r: 0f bf 01 eb 31 8d 55 e0 0f b6 01 88 02 0f b6 41
exception.instruction: movsx eax, word ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol: mscorlib+0x305ad2
exception.address: 0x609c5ad2
registers.esp: 1498468
registers.edi: 1498492
registers.eax: 0
registers.ebp: 1498504
registers.edx: 0
registers.ebx: 41036808
registers.esi: 10551370
registers.ecx: 10551370

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 62 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a152000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ff50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3092 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65cb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	cmd.exe /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 17, 2021, 10:57 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 17, 2021, 10:57 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 17, 2021, 10:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

91.194.11.64

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a4	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELä¨Óà0öBú @ `@ðùO @Ôù H.text ô ö `.rsrc ø@@.reloc@ü@B base_address: 0x00400000 process_identifier: 3848 process_handle: 0x000003a4	1	1
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: 0 HX ,ä,4VS_VERSION_INFO½ïþ?StringFileInfof040904b1, Commentsabea afab(CompanyNamedcb8FileDescriptionedc afe0FileVersion4.8.8.5z+LegalCopyrightCopyright 2020 © fdf. All rights reserved.B OriginalFilenameadbc bcf.exe2 ProductNameadbc bcf4ProductVersion5.3.0.28Assembly Version5.3.0.22LegalTrademarksfdabDVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD base_address: 0x00422000 process_identifier: 3848 process_handle: 0x000003a4	1	1
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: ðD: base_address: 0x00424000 process_identifier: 3848 process_handle: 0x000003a4	1	1
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: @ base_address: 0x7ffdd008 process_identifier: 3848 process_handle: 0x000003a4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELä¨Óà0öBú @ `@ðùO @Ôù H.text ô ö `.rsrc ø@@.reloc@ü@B base_address: 0x00400000 process_identifier: 3848 process_handle: 0x000003a4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3092 called NtSetContextThread to modify thread in remote process 3848
NtSetContextThread March 17, 2021, 10:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4323906 registers.ebp: 0 registers.edx: 0 registers.ebx: 2147340288 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a0 process_identifier: 3848	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3092 resumed a thread in remote process 3848
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 3848	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

91.194.11.64:81

Executed a process and injected code into it, probably while unpacking (36 events)

Time & API	Arguments	Status	Return
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c0 suspend_count: 1 process_identifier: 3092	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 3092	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 3092	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 3092	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 3092	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 3092	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 3092	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 3092	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 3092	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 3092	1	0
CreateProcessInternalW March 17, 2021, 10:57 p.m.	thread_identifier: 588 thread_handle: 0x00000344 process_identifier: 2244 current_directory: C:\Users\Administrator\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000394	1	1
CreateProcessInternalW March 17, 2021, 10:57 p.m.	thread_identifier: 6328 thread_handle: 0x000003a0 process_identifier: 3848 current_directory: filepath: C:\Users\Administrator\AppData\Local\Temp\1488.txt track: 1 command_line: filepath_r: C:\Users\Administrator\AppData\Local\Temp\1488.txt stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a4	1	1
NtGetContextThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000003a0	1	0
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 3848 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a4	1	0
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELä¨Óà0öBú @ `@ðùO @Ôù H.text ô ö `.rsrc ø@@.reloc@ü@B base_address: 0x00400000 process_identifier: 3848 process_handle: 0x000003a4	1	1
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: base_address: 0x00402000 process_identifier: 3848 process_handle: 0x000003a4	1	1
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: 0 HX ,ä,4VS_VERSION_INFO½ïþ?StringFileInfof040904b1, Commentsabea afab(CompanyNamedcb8FileDescriptionedc afe0FileVersion4.8.8.5z+LegalCopyrightCopyright 2020 © fdf. All rights reserved.B OriginalFilenameadbc bcf.exe2 ProductNameadbc bcf4ProductVersion5.3.0.28Assembly Version5.3.0.22LegalTrademarksfdabDVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD base_address: 0x00422000 process_identifier: 3848 process_handle: 0x000003a4	1	1
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: ðD: base_address: 0x00424000 process_identifier: 3848 process_handle: 0x000003a4	1	1
WriteProcessMemory March 17, 2021, 10:57 p.m.	buffer: @ base_address: 0x7ffdd008 process_identifier: 3848 process_handle: 0x000003a4	1	1
NtSetContextThread March 17, 2021, 10:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4323906 registers.ebp: 0 registers.edx: 0 registers.ebx: 2147340288 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a0 process_identifier: 3848	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 3848	1	0
CreateProcessInternalW March 17, 2021, 10:57 p.m.	thread_identifier: 1264 thread_handle: 0x00000058 process_identifier: 2544 current_directory: C:\Users\Administrator\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 1 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000005c	1	1
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x000000c0 suspend_count: 1 process_identifier: 3848	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 3848	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 3848	1	0
NtResumeThread March 17, 2021, 10:57 p.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 3848	1	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36251528
FireEye	Generic.mg.ce0f93d2bb7f1863
CAT-QuickHeal	Trojan.Wacatac
McAfee	PWS-FCWL!CE0F93D2BB7F
Cylance	Unsafe
Zillya	Trojan.GenKryptik.Win32.72261
Sangfor	Trojan.Win32.Wacatac.B
K7AntiVirus	Trojan ( 00575cf01 )
Alibaba	TrojanSpy:MSIL/AgentTesla.7192ceb7
K7GW	Trojan ( 00575cf01 )
Cybereason	malicious.2bb7f1
Arcabit	Trojan.Generic.D2292788
Cyren	W32/Trojan.INOI-8918
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.36251528
NANO-Antivirus	Trojan.Win32.Stealer.ijruva
Tencent	Msil.Trojan-spy.Stealer.Syrv
Ad-Aware	Trojan.GenericKD.36251528
Sophos	Mal/Generic-S
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WAT21
McAfee-GW-Edition	PWS-FCWL!CE0F93D2BB7F
Emsisoft	Trojan.GenericKD.36251528 (B)
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
Avira	TR/Kryptik.cjvcu
Microsoft	Trojan:MSIL/AgentTesla.AV!MTB
AegisLab	Trojan.MSIL.Stealer.l!c
GData	Trojan.GenericKD.36251528
Cynet	Malicious (score: 100)
AhnLab-V3	PUP/Win32.RL_Generic.C4317828
BitDefenderTheta	Gen:NN.ZemsilF.34628.yjZ@aygPPXh
ALYac	Trojan.GenericKD.36251528
MAX	malware (ai score=100)
Malwarebytes	Spyware.RedLineStealer.MSIL
ESET-NOD32	a variant of MSIL/GenKryptik.EZWO
TrendMicro-HouseCall	TROJ_GEN.R002C0WAT21
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
Yandex	Trojan.GenKryptik!OqMco8w8pAk
Ikarus	Trojan.MSIL.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.EZWO!tr
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Trojan.Kryptik.HgIASQIA

1488.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All