Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 21, 2021, 9:54 a.m.	May 21, 2021, 10:03 a.m.

Size	284.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`262936a46f6130dcd0415a530d885080`
SHA256	`f412d1a1fdbdfc220858b5ade4daa2816bbf804889adc26b0e3697436425457b`
CRC32	`81FEA2B7`
ssdeep	`6144:tQqk65TjmDIqpV5LBZJveaCzlH8KQALPsL2lJbZJ:P54dpVZJ/CzPQAA2ltZJ`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Sep.exe "C:\Users\test22\AppData\Local\Temp\Sep.exe"
232
- Ser.exe "C:\Windows\temp\Ser.exe"
  5096
- Sel.exe "C:\Windows\temp\Sel.exe"
  8088
- Seh.exe "C:\Windows\temp\Seh.exe"
  4016
  - NVIDIA.exe "C:\Windows\NVIDIA.exe"
    4496
    - Picture.exe "C:\Picture.exe"
      2508
- Cacrk.exe "C:\Windows\temp\Cacrk.exe"
  3388
  - 8908.exe 8908.exe
    5260

Name	Response	Post-Analysis Lookup
users.qzone.qq.com	A 58.250.136.113	58.250.136.113
ocsp.dcocsp.cn	CNAME ocsp.dcocsp.cn.w.kunlunar.com A 47.246.59.227 A 47.246.59.229 A 47.246.59.228 A 47.246.59.230 A 47.246.59.231 A 47.246.59.226 A 47.246.59.232 A 47.246.59.233	163.181.22.232

IP Address	Status	Action
139.155.178.173	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
43.129.230.36	Active	Moloch
47.246.59.231	Active	Moloch
58.250.136.113	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49808 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49808 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 139.155.178.173:888	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49818 -> 139.155.178.173:888	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 139.155.178.173:888 -> 192.168.56.102:49818	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 139.155.178.173:888 -> 192.168.56.102:49818	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 139.155.178.173:888 -> 192.168.56.102:49818	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 139.155.178.173:888 -> 192.168.56.102:49818	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49815 -> 43.129.230.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49815 -> 43.129.230.36:80	2008974	ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))	Possibly Unwanted Program Detected
TCP 43.129.230.36:80 -> 192.168.56.102:49815	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 43.129.230.36:80 -> 192.168.56.102:49815	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 43.129.230.36:80 -> 192.168.56.102:49815	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 43.129.230.36:80 -> 192.168.56.102:49815	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49876 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49876 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49876 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.102:49926 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49926 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49926 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.102:49974 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49974 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49974 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 43.129.230.36:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 43.129.230.36:80	2008974	ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))	Possibly Unwanted Program Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49864 58.250.136.113:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Secure Site CA G2	C=CN, ST=Guangdong Province, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=*.qzone.qq.com	89:39:26:02:eb:fd:36:ce:7d:93:4f:b3:e5:16:96:06:0f:b6:9a:5b

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 21, 2021, 9:54 a.m.			0	0
IsDebuggerPresent May 21, 2021, 9:54 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 21, 2021, 9:54 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 21, 2021, 9:54 a.m.	stacktrace: Host+0x14c @ 0x10002bfc exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b eb 24 8b 45 ec exception.exception_code: 0xc000001d exception.symbol: Host-0x1307 exception.address: 0x100017a9 registers.esp: 1637528 registers.edi: 0 registers.eax: 1 registers.ebp: 1637580 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 6928	1	0	0
__exception__ May 21, 2021, 9:54 a.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 10	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://43.129.230.36/8908.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://43.129.230.36/System1.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
suspicious_features	GET method with no useragent header	suspicious_request	GET https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678

Performs some HTTP requests (6 events)

request	GET http://43.129.230.36/8908.exe
request	GET http://43.129.230.36/System1.dll
request	GET http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
request	GET http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D
request	GET http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEArIzKqFYmE3jrS4gQrE3QI%3D
request	GET https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678

Allocates read-write-execute memory (usually to unpack itself) (50 out of 491 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74131000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66a91000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 155648 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x100fa000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10120000 process_handle: 0xffffffff		3221225713
NtAllocateVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75431000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

Ser.exe tried to sleep 255 seconds, actually delayed analysis time by 255 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 21, 2021, 9:54 a.m.	total_number_of_free_bytes: 13276254208 free_bytes_available: 13276254208 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW May 21, 2021, 9:56 a.m.	total_number_of_free_bytes: 13272883200 free_bytes_available: 13272883200 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (8 events)

file	C:\Windows\Temp\Seh.exe
file	C:\Windows\Temp\8908.exe
file	C:\Windows\Temp\Ser.exe
file	C:\Program Files\AppPatch\NetSyst96.dll
file	C:\Program Files\Cacrk\Cacrk.dll
file	C:\Picture.exe
file	C:\Windows\Temp\Sel.exe
file	C:\Windows\Temp\Cacrk.exe

Creates a service (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA May 21, 2021, 9:54 a.m.	service_start_name: start_type: 2 password: display_name: Internet Connection Sharing (ICS) filepath: C:\Program Files (x86)\Arrange\NULL.jpg service_name: SharedAccess filepath_r: C:\Program Files (x86)\Arrange\NULL.jpg desired_access: 983551 service_handle: 0x00000000 error_control: 0 service_type: 272 service_manager_handle: 0x0055cd18		0	0
CreateServiceA May 21, 2021, 9:54 a.m.	service_start_name: start_type: 2 password: display_name: SuperProServer filepath: C:\Windows\NVIDIA.exe service_name: NVIDIA filepath_r: C:\Windows\NVIDIA.exe desired_access: 983551 service_handle: 0x00314ab0 error_control: 0 service_type: 272 service_manager_handle: 0x00331908	1	3230384	0

Drops a binary and executes it (4 events)

file	C:\Windows\Temp\Ser.exe
file	C:\Windows\Temp\Seh.exe
file	C:\Windows\Temp\Cacrk.exe
file	C:\Picture.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\235c24b.tmp
file	C:\Users\test22\AppData\Local\Temp\235c25b.tmp
file	C:\Users\test22\AppData\Local\Temp\235c23a.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 120 events)

Time & API	Arguments	Status	Return
Process32FirstW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: [System Process] process_identifier: 0	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: System process_identifier: 4	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: smss.exe process_identifier: 224	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: services.exe process_identifier: 440	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: spoolsv.exe process_identifier: 820	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: pw.exe process_identifier: 5008	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: mobsync.exe process_identifier: 8980	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: pw.exe process_identifier: 3268	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: slui.exe process_identifier: 2288	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: cmd.exe process_identifier: 6240	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: conhost.exe process_identifier: 5580	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: Sep.exe process_identifier: 232	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: pw.exe process_identifier: 3804	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: taskhost.exe process_identifier: 7724	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: Ser.exe process_identifier: 5096	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: Sel.exe process_identifier: 8088	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000110 process_name: Sel.exe process_identifier: 7471220		0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000114 process_name: Sel.exe process_identifier: 6684769		0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000019c process_name: Seh.exe process_identifier: 4016	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000019c process_name: is32bit.exe process_identifier: 7072	1	1
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000290 process_name: Cacrk.exe process_identifier: 3388	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 21, 2021, 9:54 a.m.	process_identifier: 5096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 434176 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the processes cacrk.exe, nvidia.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile May 21, 2021, 9:54 a.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $LNáî ²î ²î ²sò,² î ²gñ+²î ²gñ²î ²ò.²$î ²>È²Âî ²>È+²Tî ²^ñ3²$î ²jñ3²î ²î!²¤ì ²æ}²î ²ôÎ2² î ²àñ+²iî ²àñ*²î ²î ²Sî ²Ïè&² î ²Richî ²PELrN`à` ÀBz_p @P\|K, Oh_p T.textâS ` `.rdataR3Ap @Ap @@.dataJè°K °K@À.rsrch_ O`ÐL@@ request_handle: 0x00cc000c	1	1
InternetReadFile May 21, 2021, 9:54 a.m.	buffer: Processú¦Ï©ÅoïÉ[©Á~¿ÍfC±NtZwuser32.dllgdi32.dll ÷×_ÒÖ¯ÆfCÁ¾/ÎCÃ6G¥ÏWçÅïÉ[©Á~¿ÍfC±@ãð7«Å[ïÉ[©Á~¿ÍfC±D@#\EAPA×fAgA jAirAýrAóuAÎxA%yAyAA{AßAA AAA¾A¸¾AèA@A'AAgA»AAæA½AAûA0A"AAÝA¹AA\|An A`¡AR¢AD£A:¤A¥Aæ¥AÜ¦A)¨A©Aò©A¯Aà¯A¹°A±Ar²AM³A>¶Al·A¸AºAöºAÑ»A³¼A½AöB÷B?¿A¨ßAÐéAÛøAÒBu5Bí5BB®BÝBBBªBeB5B}%B ;B;B¨8B@À?MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $yÌ³Þ=Ý=Ý=Ý¾±ÓÝ×ÝÖkÝF±Ñ>Ýk²ÎÝ_²Î(Ý=Ür¯ÝÕ²ÖwÝÕ²×$Ý=Ý"Ýú«Û<ÝÂÙ<ÝRich=ÝPELw ^à!ð@ÛQ°J t\|ð} request_handle: 0x00cc000c	1	1
InternetReadFile May 21, 2021, 9:54 a.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $LNáî ²î ²î ²sò,² î ²gñ+²î ²gñ²î ²ò.²$î ²>È²Âî ²>È+²Tî ²^ñ3²$î ²jñ3²î ²î!²¤ì ²æ}²î ²ôÎ2² î ²àñ+²iî ²àñ*²î ²î ²Sî ²Ïè&² î ²Richî ²PEL¡@v`à` ÀBap @Pè\|K, Oh_p T.textU ` `.rdata¢3Ap @Ap @@.dataJè°K °K@À.rsrch_ O`ÐL@@ request_handle: 0x00cc000c	1	1
InternetReadFile May 21, 2021, 9:54 a.m.	buffer: kernel32IsWow64Processú¦Ï©ÅoïÉ[©Á~¿ÍfC±NtZwuser32.dllgdi32.dll ÷×_ÒÖ¯ÆfCÁ¾/ÎCÃ6G¥ÏWçÅïÉ[©Á~¿ÍfC±@ãð7«Å[ïÉ[©Á~¿ÍfC±D@#\Software\Valve\Steam\RememberPasswordêAõA\|hA4iAÅkAtA¢tAwAszAÊzA'{Aæ\|AA&A¯A8A·A'ÀA]ÀAAåAÌA¿AA`A´AAbA-A AÕAÇA¹AA^A/ A!¡A¢A£A÷£Aé¤Aß¥A¶¦A§A¨AÎ©AÄªA«AÃ°A±A^²AB³A´Aò´Aã·A¹A8ºAÀ»A¼Av½AX¾A<¿ABBäÀAMáAuëAúAwB7B7B´BSBB±BºBOB BÚB"'B@®<B¹<BM:BÀ?MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $yÌ³Þ=Ý=Ý=Ý¾±ÓÝ×ÝÖkÝF±Ñ>Ýk²ÎÝ_²Î(Ý=Ür¯ÝÕ²ÖwÝÕ²×$Ý=Ý"Ýú«Û<ÝÂÙ<ÝRich=ÝPELw ^à!ð@ÛQ request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 21, 2021, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 21, 2021, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 7095 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000114 process_name: Sel.exe process_identifier: 6684769		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000298 process_name: Cacrk.exe process_identifier: 7536688		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000029c process_name: Cacrk.exe process_identifier: 7602277		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002c0 process_name: Cacrk.exe process_identifier: 6684769		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002c4 process_name: Cacrk.exe process_identifier: 4390992		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002c8 process_name: Cacrk.exe process_identifier: 6553705		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002cc process_name: e process_identifier: 6553705		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002d0 process_name: Cacrk.exe process_identifier: 7274573		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002d4 process_name: Cacrk.exe process_identifier: 5046390		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002d8 process_name: Cacrk.exe process_identifier: 4980808		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002dc process_name: Cacrk.exe process_identifier: 6619251		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002e0 process_name: Cacrk.exe process_identifier: 3014768		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002e4 process_name: Cacrk.exe process_identifier: 4456521		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002e8 process_name: Cacrk.exe process_identifier: 3014771		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002ec process_name: Cacrk.exe process_identifier: 7733331		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002f0 process_name: Cacrk.exe process_identifier: 6750273		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002f4 process_name: Cacrk.exe process_identifier: 7798887		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002f8 process_name: Cacrk.exe process_identifier: 6619251		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x000002fc process_name: Cacrk.exe process_identifier: 3014768		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000300 process_name: Cacrk.exe process_identifier: 6815859		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000304 process_name: Cacrk.exe process_identifier: 6881397		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000308 process_name: Cacrk.exe process_identifier: 6553715		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000030c process_name: Cacrk.exe process_identifier: 5046338		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000310 process_name: Cacrk.exe process_identifier: 6619235		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000314 process_name: Cacrk.exe process_identifier: 4456552		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000318 process_name: Cacrk.exe process_identifier: 7536758		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000031c process_name: Cacrk.exe process_identifier: 7667821		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000320 process_name: Cacrk.exe process_identifier: 6619251		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000324 process_name: process_identifier: 6684769		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000328 process_name: Cacrk.exe process_identifier: 7798829		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000032c process_name: process_identifier: 5439572		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000334 process_name: Cacrk.exe process_identifier: 6815828		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000338 process_name: Cacrk.exe process_identifier: 6619182		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000033c process_name: Cacrk.exe process_identifier: 6619182		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000340 process_name: Cacrk.exe process_identifier: 3670069		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000344 process_name: Cacrk.exe process_identifier: 6357102		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000264 process_name: Cacrk.exe process_identifier: 7602224		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000350 process_name: Cacrk.exe process_identifier: 7536688		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000354 process_name: Cacrk.exe process_identifier: 7602277		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000358 process_name: Cacrk.exe process_identifier: 6684769		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000035c process_name: Cacrk.exe process_identifier: 4390992		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000360 process_name: Cacrk.exe process_identifier: 6553705		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000364 process_name: e process_identifier: 6553705		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000368 process_name: Cacrk.exe process_identifier: 7274573		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000036c process_name: Cacrk.exe process_identifier: 5046390		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000370 process_name: Cacrk.exe process_identifier: 4980808		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000374 process_name: Cacrk.exe process_identifier: 6619251		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000378 process_name: Cacrk.exe process_identifier: 3014768		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x0000037c process_name: Cacrk.exe process_identifier: 4456521		0	0
Process32NextW May 21, 2021, 9:54 a.m.	snapshot_handle: 0x00000380 process_name: Cacrk.exe process_identifier: 3014771		0	0

Communicates with host for which no DNS query was performed (3 events)

host	139.155.178.173
host	172.217.25.14
host	43.129.230.36

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX5B07E7D0	reg_value	C:\Windows\XXXXXX5B07E7D0\svchsot.exe
service_name	SharedAccess	service_path	C:\Program Files (x86)\Arrange\NULL.jpg
service_name	NVIDIA	service_path	C:\Windows\NVIDIA.exe

Expresses interest in specific running processes (3 events)

process	dwm.exe
process	sel.exe
process: potential process injection target	explorer.exe

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 21, 2021, 9:54 a.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 10	1	0	0

Creates known Zegost files, registry changes and/or mutexes (1 event)

mutex

AAAAAArrCmva6ysr2utKe9rrSwqa6mr7Wvnw==

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	MemScan:Trojan.GenericKDZ.41799
FireEye	MemScan:Trojan.GenericKDZ.41799
CAT-QuickHeal	Trojan.Magania.18692
McAfee	GenericRXGZ-NM!BBE5AADE113D
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 0055e3da1 )
K7GW	Trojan-Downloader ( 0055e3da1 )
Cybereason	malicious.46f613
Arcabit	Trojan.Generic.DA347
Baidu	Multi.Threats.InArchive
Cyren	W32/Trojan.IM.gen!Eldorado
Symantec	Backdoor.Trojan
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Trojan.Farfli-9811912-0
Kaspersky	Backdoor.Win32.Farfli.adnj
BitDefender	MemScan:Trojan.GenericKDZ.41799
NANO-Antivirus	Trojan.Win32.Dwn.eahibw
Tencent	Win32.Trojan.Obfuscator.Hoyj
Ad-Aware	MemScan:Trojan.GenericKDZ.41799
Emsisoft	MemScan:Trojan.GenericKDZ.41799 (B)
Comodo	TrojWare.Win32.Agent.PDSB@4q3i1w
DrWeb	Trojan.DownLoader19.23899
TrendMicro	BKDR_ZEGOST.SM50
McAfee-GW-Edition	BackDoor-EMA.gen.e
Sophos	Troj/AutoG-JE
Ikarus	Trojan-Downloader.Win32.Agent
Jiangmin	Trojan/Dialer.mgr
eGambit	Unsafe.AI_Score_99%
Avira	HEUR/AGEN.1124319
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Dorv.A
ZoneAlarm	HEUR:Trojan.Win32.Farfli.gen
GData	Win32.Trojan-Downloader.Agent.WC
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C4430134
BitDefenderTheta	Gen:NN.ZexaF.34690.cq0@aap0jngb
ALYac	MemScan:Trojan.GenericKDZ.41799
MAX	malware (ai score=82)
VBA32	BScope.Trojan.Downloader
Malwarebytes	Malware.AI.3771281797
Zoner	Trojan.Win32.83819
TrendMicro-HouseCall	BKDR_ZEGOST.SM50
Rising	Backdoor.Lotok!8.111D5 (TFE:dGZlOgUxSVLe92Su/g)
Yandex	Trojan.GenAsa!puNbw774luA
Fortinet	W32/Agent.BVS!tr
AVG	Win32:Malware-gen

Sep.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All