Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 8, 2021, 1:11 p.m.	June 8, 2021, 1:13 p.m.

Size	137.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ef4cd87768670dbe24f609336ebed7f7`
SHA256	`0e1237edd5fd20fdc5ea71b11f69de113bd709910512a64d56d5177ceaf00d17`
CRC32	`D71B097E`
ssdeep	`3072:k3iwYfOszncEYyMrJ8TXjJvm+F9O4qnIf:dwYXznFYy48rjJuk4`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

Pb3Setp.exe "C:\Users\test22\AppData\Local\Temp\Pb3Setp.exe"
5628
- 4555466.exe "C:\Users\test22\AppData\Roaming\4555466.exe"
  4836
- 6171470.exe "C:\Users\test22\AppData\Roaming\6171470.exe"
  8740
  - WinHoster.exe "C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe"
    3916
- 6067059.exe "C:\Users\test22\AppData\Roaming\6067059.exe"
  2060
- 3284193.exe "C:\Users\test22\AppData\Roaming\3284193.exe"
  3180
  - 3284193.exe "{path}"
    6956

Name	Response	Post-Analysis Lookup
topnewsdesign.xyz	A 172.67.206.72 A 104.21.69.75	104.21.69.75
iplogger.org	A 88.99.66.31	88.99.66.31
brershrowal.xyz	A 45.93.6.203	45.93.6.203

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.206.72	Active	Moloch
45.93.6.203	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 172.67.206.72:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49815 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49808 172.67.206.72:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	32:77:2f:72:40:14:df:f9:54:c4:0a:62:8b:04:f6:02:09:b6:56:05
TLSv1 192.168.56.102:49814 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49815 88.99.66.31:443	None	None	None

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:12 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:12 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:12 p.m.			0	0
IsDebuggerPresent June 8, 2021, 1:12 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey June 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e30f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e30f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e30f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2021, 1:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008a1b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2021, 1:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008a1b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2021, 1:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008a1bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 8, 2021, 1:11 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 8, 2021, 1:11 p.m.	stacktrace: getJit+0x6183 clrjit+0x5aa9b @ 0x738daa9b sxsJitStartup-0x4b209 clrjit+0x968b @ 0x7388968b sxsJitStartup-0x1ba09 clrjit+0x38e8b @ 0x738b8e8b sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73888848 sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x738889ab sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73888848 sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x738893dc sxsJitStartup-0x4b379 clrjit+0x951b @ 0x7388951b sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x738871e9 sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132 sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282 sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595 CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669 CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701 CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743 CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496 CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x6fd3a887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3925572 registers.edi: 34463576 registers.eax: 3925572 registers.ebp: 3925652 registers.edx: 0 registers.ebx: 0 registers.esi: 31981584 registers.ecx: 1	1	0	0
__exception__ June 8, 2021, 1:11 p.m.	stacktrace: getJit+0x6183 clrjit+0x5aa9b @ 0x738daa9b sxsJitStartup-0x4b209 clrjit+0x968b @ 0x7388968b sxsJitStartup-0x1ba09 clrjit+0x38e8b @ 0x738b8e8b sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73888848 sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x738889ab sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73888848 sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x738893dc sxsJitStartup-0x4b379 clrjit+0x951b @ 0x7388951b sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x738871e9 sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132 sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282 sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595 CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669 CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701 CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743 CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496 CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x6fd3a887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3925572 registers.edi: 33739284 registers.eax: 3925572 registers.ebp: 3925652 registers.edx: 0 registers.ebx: 0 registers.esi: 31981584 registers.ecx: 1	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 8, 2021, 1:11 p.m.

stacktrace:

getJit+0x6183 clrjit+0x5aa9b @ 0x738daa9b
sxsJitStartup-0x4b209 clrjit+0x968b @ 0x7388968b
sxsJitStartup-0x1ba09 clrjit+0x38e8b @ 0x738b8e8b
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73888848
sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x738889ab
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73888848
sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x738893dc
sxsJitStartup-0x4b379 clrjit+0x951b @ 0x7388951b
sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x738871e9
sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x6fd3a887
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x2345678
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3925572
registers.edi: 34463576
registers.eax: 3925572
registers.ebp: 3925652
registers.edx: 0
registers.ebx: 0
registers.esi: 31981584
registers.ecx: 1

__exception__

June 8, 2021, 1:11 p.m.

stacktrace:

getJit+0x6183 clrjit+0x5aa9b @ 0x738daa9b
sxsJitStartup-0x4b209 clrjit+0x968b @ 0x7388968b
sxsJitStartup-0x1ba09 clrjit+0x38e8b @ 0x738b8e8b
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73888848
sxsJitStartup-0x4bee9 clrjit+0x89ab @ 0x738889ab
sxsJitStartup-0x4c04c clrjit+0x8848 @ 0x73888848
sxsJitStartup-0x4b4b8 clrjit+0x93dc @ 0x738893dc
sxsJitStartup-0x4b379 clrjit+0x951b @ 0x7388951b
sxsJitStartup-0x4d6ab clrjit+0x71e9 @ 0x738871e9
sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x6fd3a887
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x2345678
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3925572
registers.edi: 33739284
registers.eax: 3925572
registers.ebp: 3925652
registers.edx: 0
registers.ebx: 0
registers.esi: 31981584
registers.ecx: 1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://topnewsdesign.xyz/?user=pb3_1
suspicious_features	GET method with no useragent header	suspicious_request	GET https://topnewsdesign.xyz/?user=pb3_2
suspicious_features	GET method with no useragent header	suspicious_request	GET https://topnewsdesign.xyz/?user=pb3_3
suspicious_features	GET method with no useragent header	suspicious_request	GET https://topnewsdesign.xyz/?user=pb3_4
suspicious_features	GET method with no useragent header	suspicious_request	GET https://topnewsdesign.xyz/?user=pb3_5
suspicious_features	GET method with no useragent header	suspicious_request	GET https://topnewsdesign.xyz/?user=pb3_6
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1vjFz7

Performs some HTTP requests (8 events)

request	GET https://topnewsdesign.xyz/?user=pb3_1
request	GET https://topnewsdesign.xyz/?user=pb3_2
request	GET https://topnewsdesign.xyz/?user=pb3_3
request	GET https://topnewsdesign.xyz/?user=pb3_4
request	GET https://topnewsdesign.xyz/?user=pb3_5
request	GET https://topnewsdesign.xyz/?user=pb3_6
request	GET https://iplogger.org/1jE3z7
request	GET https://iplogger.org/1vjFz7

Allocates read-write-execute memory (usually to unpack itself) (50 out of 418 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2401000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2a9b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2021, 1:11 p.m.	process_identifier: 5628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

Pb3Setp.exe tried to sleep 163 seconds, actually delayed analysis time by 163 seconds

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Roaming\6171470.exe
file	C:\Users\test22\AppData\Roaming\4555466.exe
file	C:\Users\test22\AppData\Roaming\3284193.exe
file	C:\Users\test22\AppData\Roaming\6067059.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW June 8, 2021, 1:11 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\WinHost filepath: C:\Users\test22\AppData\Roaming\WinHost	1	1	0
SetFileAttributesW June 8, 2021, 1:11 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe filepath: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe	1	1	0

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Roaming\4555466.exe
file	C:\Users\test22\AppData\Roaming\6171470.exe
file	C:\Users\test22\AppData\Roaming\6067059.exe
file	C:\Users\test22\AppData\Roaming\3284193.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Roaming\3284193.exe
file	C:\Users\test22\AppData\Roaming\6067059.exe
file	C:\Users\test22\AppData\Roaming\6171470.exe
file	C:\Users\test22\AppData\Roaming\4555466.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\4555466.exe parameters: filepath: C:\Users\test22\AppData\Roaming\4555466.exe	1	1
ShellExecuteExW June 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\6171470.exe parameters: filepath: C:\Users\test22\AppData\Roaming\6171470.exe	1	1
ShellExecuteExW June 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\6067059.exe parameters: filepath: C:\Users\test22\AppData\Roaming\6067059.exe	1	1
ShellExecuteExW June 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\3284193.exe parameters: filepath: C:\Users\test22\AppData\Roaming\3284193.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 8, 2021, 1:11 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00011000', u'virtual_address': u'0x00002000', u'entropy': 7.405519027130349, u'name': u'.text', u'virtual_size': u'0x00010f04'}

entropy

7.40551902713

description

A section with a high entropy has been found

entropy

0.498168498168

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 8, 2021, 1:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Virtual currency	rule	Virtual_currency_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 8, 2021, 1:12 p.m.	process_identifier: 6956 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002e8	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinHost

reg_value

C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 8, 2021, 1:12 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELùi=¬à0P"d @ À@ÐcOä ´c H.textN P `.rsrcäT@@.reloc \@B base_address: 0x00400000 process_identifier: 6956 process_handle: 0x000002e8	1	1
WriteProcessMemory June 8, 2021, 1:12 p.m.	buffer: P8häTT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameCheechakos.exe(LegalCopyright FOriginalFilenameCheechakos.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ôêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00418000 process_identifier: 6956 process_handle: 0x000002e8	1	1
WriteProcessMemory June 8, 2021, 1:12 p.m.	buffer: `$4 base_address: 0x0041a000 process_identifier: 6956 process_handle: 0x000002e8	1	1
WriteProcessMemory June 8, 2021, 1:12 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6956 process_handle: 0x000002e8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 8, 2021, 1:12 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELùi=¬à0P"d @ À@ÐcOä ´c H.textN P `.rsrcäT@@.reloc \@B base_address: 0x00400000 process_identifier: 6956 process_handle: 0x000002e8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3180 called NtSetContextThread to modify thread in remote process 6956
NtSetContextThread June 8, 2021, 1:12 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4285474 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002bc process_identifier: 6956	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3180 resumed a thread in remote process 6956
NtResumeThread June 8, 2021, 1:12 p.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 6956	1	0	0

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.ef4cd87768670dbe
McAfee	Artemis!EF4CD8776867
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/Confuser.05e28375
K7GW	Trojan ( 0057310a1 )
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Packed.Confuser.DY
APEX	Malicious
Paloalto	generic.ml
McAfee-GW-Edition	Artemis!Trojan
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.MSIL.Confuser
Microsoft	Trojan:Win32/Wacatac.B!ml
AegisLab	Trojan.Win32.Malicious.4!c
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZemsilF.34722.im0@a4T2Job
VBA32	CIL.HeapOverride.Heur
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Cybereason	malicious.266b7a

Executed a process and injected code into it, probably while unpacking (50 out of 62 events)

Time & API	Arguments	Status	Return
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 5628	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 5628	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 5628	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 5628	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000000000000200 suspend_count: 1 process_identifier: 5628	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000000000000218 suspend_count: 1 process_identifier: 5628	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 5628	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000000000000248 suspend_count: 1 process_identifier: 5628	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000003b4 suspend_count: 1 process_identifier: 5628	1	0
CreateProcessInternalW June 8, 2021, 1:11 p.m.	thread_identifier: 8724 thread_handle: 0x000000000000071c process_identifier: 4836 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\4555466.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\4555466.exe" filepath_r: C:\Users\test22\AppData\Roaming\4555466.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000724	1	1
CreateProcessInternalW June 8, 2021, 1:11 p.m.	thread_identifier: 7772 thread_handle: 0x000000000000071c process_identifier: 8740 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\6171470.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\6171470.exe" filepath_r: C:\Users\test22\AppData\Roaming\6171470.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000710	1	1
CreateProcessInternalW June 8, 2021, 1:11 p.m.	thread_identifier: 6596 thread_handle: 0x0000000000000724 process_identifier: 2060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\6067059.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\6067059.exe" filepath_r: C:\Users\test22\AppData\Roaming\6067059.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000728	1	1
NtGetContextThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 5628	1	0
NtGetContextThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 5628	1	0
CreateProcessInternalW June 8, 2021, 1:11 p.m.	thread_identifier: 4420 thread_handle: 0x000000000000071c process_identifier: 3180 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\3284193.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\3284193.exe" filepath_r: C:\Users\test22\AppData\Roaming\3284193.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000720	1	1
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 4836	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 4836	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 4836	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 4836	1	0
NtGetContextThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 4836	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 4836	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 4836	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 8740	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 8740	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 8740	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 8740	1	0
CreateProcessInternalW June 8, 2021, 1:11 p.m.	thread_identifier: 4772 thread_handle: 0x00000470 process_identifier: 3916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe" filepath_r: C:\Users\test22\AppData\Roaming\WinHost\WinHoster.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 3916	1	0
NtGetContextThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread June 8, 2021, 1:11 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread June 8, 2021, 1:12 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3180	1	0
NtResumeThread June 8, 2021, 1:12 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 3180	1	0
NtResumeThread June 8, 2021, 1:12 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 3180	1	0
NtResumeThread June 8, 2021, 1:12 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3180	1	0
CreateProcessInternalW June 8, 2021, 1:12 p.m.	thread_identifier: 3004 thread_handle: 0x000002bc process_identifier: 6956 current_directory: filepath: C:\Users\test22\AppData\Roaming\3284193.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Roaming\3284193.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002e8	1	1
NtGetContextThread June 8, 2021, 1:12 p.m.	thread_handle: 0x000002bc	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (15 events)

dead_host	192.168.56.102:49827
dead_host	192.168.56.102:49824
dead_host	45.93.6.203:80
dead_host	192.168.56.102:49818
dead_host	192.168.56.102:49825
dead_host	192.168.56.102:49819
dead_host	192.168.56.102:49830
dead_host	192.168.56.102:49831
dead_host	192.168.56.102:49828
dead_host	192.168.56.102:49822
dead_host	192.168.56.102:49829
dead_host	192.168.56.102:49823
dead_host	192.168.56.102:49820
dead_host	192.168.56.102:49821
dead_host	192.168.56.102:49826

Pb3Setp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All