Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 30, 2021, 6:18 p.m.	March 30, 2021, 6:27 p.m.

Size	966.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f13c768b67b9f4fa379b32bd5d8c8126`
SHA256	`fd03c49059cddc8858b22d8432d653f47121a059cb8b0ad19e03a67a03c7f879`
CRC32	`EC6C0040`
ssdeep	`12288:TrgMhlt8J2iNjGZJvl4Z+KqLJHis+frnYBe1kPN+QqWZ:vgMhlt8J1Zs2feCsHjNQWZ`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
1108
- svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
  2332

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 30, 2021, 6:20 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 30, 2021, 6:18 p.m.			0	0
IsDebuggerPresent March 30, 2021, 6:18 p.m.			0	0
IsDebuggerPresent March 30, 2021, 6:20 p.m.			0	0
IsDebuggerPresent March 30, 2021, 6:20 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 30, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00662410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006624d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 30, 2021, 6:20 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006624d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 30, 2021, 6:18 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:18 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dde2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Users\test22\AppData\Local\Temp\svchost.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 30, 2021, 6:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (13 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet
description	Run a keylogger	rule	keylogger
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 30, 2021, 6:20 p.m.	thread_identifier: 1788 thread_handle: 0x00000240 process_identifier: 2332 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1	0

Terminates another process (20 events)

Time & API	Arguments	Status
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224
NtTerminateProcess March 30, 2021, 6:20 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000224	1

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 30, 2021, 6:20 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

svchost.exe tried to sleep 5456443 seconds, actually delayed analysis time by 5456443 seconds

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELfa`àV®t @ À@\tO8 H.text´T V `.rsrc8X@@.reloc ^@B base_address: 0x00400000 process_identifier: 2332 process_handle: 0x00000244	1	1
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: 8Ph ¤Hê¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h$InternalNamenslkDmFbQwJcOlJJKGIwwgBdJAnGnYp.exe(LegalCopyright p$OriginalFilenamenslkDmFbQwJcOlJJKGIwwgBdJAnGnYp.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2332 process_handle: 0x00000244	1	1
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: p°4 base_address: 0x0043a000 process_identifier: 2332 process_handle: 0x00000244	1	1
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2332 process_handle: 0x00000244	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELfa`àV®t @ À@\tO8 H.text´T V `.rsrc8X@@.reloc ^@B base_address: 0x00400000 process_identifier: 2332 process_handle: 0x00000244	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1108 called NtSetContextThread to modify thread in remote process 2332
NtSetContextThread March 30, 2021, 6:20 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4420782 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 2332	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1108 resumed a thread in remote process 2332
NtResumeThread March 30, 2021, 6:20 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2332	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
McAfee	Artemis!F13C768B67B9
Cylance	Unsafe
Cybereason	malicious.370db8
Cyren	W32/MSIL_Kryptik.CYQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AAET
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
NANO-Antivirus	Trojan.Win32.GCS.dkpiay
AegisLab	Trojan.Multi.Generic.4!c
Sophos	ML/PE-A
DrWeb	Trojan.PackedNET.612
McAfee-GW-Edition	Artemis
FireEye	Generic.mg.f13c768b67b9f4fa
eGambit	Unsafe.AI_Score_95%
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Kryptik.R348409
BitDefenderTheta	Gen:NN.ZemsilF.34654.8m0@a0YaBAg
Malwarebytes	Malware.AI.3227348472
Ikarus	Backdoor.MSIL.Bladabindi
Fortinet	MSIL/Kryptik.AAEM!tr
Panda	Trj/RnkBend.A

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return
NtResumeThread March 30, 2021, 6:18 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1108	1	0
NtResumeThread March 30, 2021, 6:18 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1108	1	0
NtResumeThread March 30, 2021, 6:18 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 1108	1	0
CreateProcessInternalW March 30, 2021, 6:20 p.m.	thread_identifier: 1788 thread_handle: 0x00000240 process_identifier: 2332 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1
NtGetContextThread March 30, 2021, 6:20 p.m.	thread_handle: 0x00000240	1	0
NtAllocateVirtualMemory March 30, 2021, 6:20 p.m.	process_identifier: 2332 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELfa`àV®t @ À@\tO8 H.text´T V `.rsrc8X@@.reloc ^@B base_address: 0x00400000 process_identifier: 2332 process_handle: 0x00000244	1	1
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: base_address: 0x00402000 process_identifier: 2332 process_handle: 0x00000244	1	1
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: 8Ph ¤Hê¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h$InternalNamenslkDmFbQwJcOlJJKGIwwgBdJAnGnYp.exe(LegalCopyright p$OriginalFilenamenslkDmFbQwJcOlJJKGIwwgBdJAnGnYp.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2332 process_handle: 0x00000244	1	1
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: p°4 base_address: 0x0043a000 process_identifier: 2332 process_handle: 0x00000244	1	1
WriteProcessMemory March 30, 2021, 6:20 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2332 process_handle: 0x00000244	1	1
NtSetContextThread March 30, 2021, 6:20 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4420782 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 2332	1	0
NtResumeThread March 30, 2021, 6:20 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread March 30, 2021, 6:20 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread March 30, 2021, 6:20 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread March 30, 2021, 6:20 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread March 30, 2021, 6:20 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread March 30, 2021, 6:20 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 2332	1	0

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All