popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

msdtc.exe

Generic Malware Downloader Code injection DGA Socket Escalate priviledges KeyLogger Create Service SMTP Internet API DNS ScreenShot Sniff Audio AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 24, 2021, 10 a.m. June 24, 2021, 10:11 a.m.
Size 2.1MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 a119493bce8e253eaae093e9afdda7af
SHA256 eaf8092df55d94f151505360bc713e3447a7344b2ef8c4a4f8b3ee1b9d561a44
CRC32 F64EABEA
ssdeep 49152:IXW59IPhDUna7Xw5iP9JvMPALYvpO2kZ7RMGVvZNqt:MKqgiXs1pO2YNqt
Yara
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
con.microgent.ru
A 195.133.40.220
195.133.40.220
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
195.133.40.220 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49810 -> 195.133.40.220:6992 906200098 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.102:49810
195.133.40.220:6992 		CN=hard CN=hard fd:fb:8c:76:6b:53:ba:00:d8:1c:88:d6:5d:73:bb:c2:f4:0a:03:57

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0xb29eb5
0xb29e2a
0xb277b4
0xb27083
0xb20fcc
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x3135ed @ 0x6eef35ed
0x6b2a4e
0x6b0d52
0x6b00f9
0x6b006b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 4515436
registers.edi: 1990713288
registers.eax: 16777216
registers.ebp: 4515640
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0xb29eb5
0xb29e2a
0xb277b4
0xb27083
0xb20fcc
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x3135ed @ 0x6eef35ed
0x6b2a4e
0x6b0d52
0x6b00f9
0x6b006b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 4515436
registers.edi: 1990713288
registers.eax: 4194304
registers.ebp: 4515640
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0xb29eb5
0xb29e2a
0xb277b4
0xb27083
0xb20fcc
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x3135ed @ 0x6eef35ed
0x6b2a4e
0x6b0d52
0x6b00f9
0x6b006b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 4515436
registers.edi: 1990713288
registers.eax: 19464192
registers.ebp: 4515640
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0xb29eb5
0xb29e2a
0xb277b4
0xb27083
0xb20fcc
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x3135ed @ 0x6eef35ed
0x6b2a4e
0x6b0d52
0x6b00f9
0x6b006b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 4515436
registers.edi: 1990713288
registers.eax: 12386304
registers.ebp: 4515640
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02390000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02500000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00292000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00345000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0034b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00347000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0029a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00336000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0033a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00337000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b0f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ae000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00540000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00541000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00542000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 53248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00543000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002af000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b25000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b26000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b27000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b28000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b29000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2616
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b2a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6676
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b52000
process_handle: 0xffffffff
1 0 0
description msdtc.exe tried to sleep 432 seconds, actually delayed analysis time by 432 seconds
section {u'size_of_data': u'0x0021c200', u'virtual_address': u'0x00002000', u'entropy': 7.9834490868032155, u'name': u'.text', u'virtual_size': u'0x0021c09c'} entropy 7.9834490868 description A section with a high entropy has been found
entropy 0.997000461467 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
url https://curl.haxx.se/docs/http-cookies.html
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications smtp rule network_smtp_raw
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Match Windows Inet API call rule Str_Win32_Internet_API
description Take ScreenShot rule ScreenShot
description File Downloader rule Network_Downloader
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
host 172.217.25.14
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 6676
region_size: 3989504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000027c
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msdtc reg_value "C:\Users\test22\AppData\Local\msdtc.exe"
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x0050fc98
hook_identifier: 14 (WH_MOUSE_LL)
module_address: 0x00000000
1 42402679 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcۚ7 ˆš7 ˆš7 ˆ.«üˆ„7 ˆ.«þˆ]7 ˆ.«ÿˆ¾7 ˆ—ʈœ7 ˆ¡i‰†7 ˆ E ‰ý6 ˆ i‰7 ˆ i ‰Æ7 ˆGÈ݈ž7 ˆGÈ܈›7 ˆGÈƈ™7 ˆš7 ˆß5 ˆn‰˜7 ˆGÈȟ7 ˆ¡i ‰°7 ˆ¡i‰7 ˆ i‰7 ˆ i‰›7 ˆRichš7 ˆPELËÁl`à æ-<§Ÿ(.@à<€Ô£8(:øI\’4Р2@.Ô\†8€.text=å-æ- `.rdataFº .¼ ê-@@.dataœÀ8"¦8@À.gfidsø`:È9@@.tls €:Ú9@À.relocøI:JÜ9@B
base_address: 0x00400000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x007a8000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 6676
process_handle: 0x0000027c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcۚ7 ˆš7 ˆš7 ˆ.«üˆ„7 ˆ.«þˆ]7 ˆ.«ÿˆ¾7 ˆ—ʈœ7 ˆ¡i‰†7 ˆ E ‰ý6 ˆ i‰7 ˆ i ‰Æ7 ˆGÈ݈ž7 ˆGÈ܈›7 ˆGÈƈ™7 ˆš7 ˆß5 ˆn‰˜7 ˆGÈȟ7 ˆ¡i ‰°7 ˆ¡i‰7 ˆ i‰7 ˆ i‰›7 ˆRichš7 ˆPELËÁl`à æ-<§Ÿ(.@à<€Ô£8(:øI\’4Р2@.Ô\†8€.text=å-æ- `.rdataFº .¼ ê-@@.dataœÀ8"¦8@À.gfidsø`:È9@@.tls €:Ú9@À.relocøI:JÜ9@B
base_address: 0x00400000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x004cb66b
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00000000
1 178193103 0
Process injection Process 2616 called NtSetContextThread to modify thread in remote process 6676
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6856615
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000274
process_identifier: 6676
1 0 0
Process injection Process 2616 resumed a thread in remote process 6676
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000274
suspend_count: 1
process_identifier: 6676
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2616
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2616
1 0 0

NtResumeThread

 thread_handle: 0x00000198
suspend_count: 1
process_identifier: 2616
1 0 0

NtResumeThread

 thread_handle: 0x0000025c
suspend_count: 1
process_identifier: 2616
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2616
1 0 0

CreateProcessInternalW

 thread_identifier: 8800
thread_handle: 0x00000274
process_identifier: 6676
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\msdtc.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000027c
1 1 0

NtGetContextThread

 thread_handle: 0x00000274
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6676
region_size: 3989504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000027c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcۚ7 ˆš7 ˆš7 ˆ.«üˆ„7 ˆ.«þˆ]7 ˆ.«ÿˆ¾7 ˆ—ʈœ7 ˆ¡i‰†7 ˆ E ‰ý6 ˆ i‰7 ˆ i ‰Æ7 ˆGÈ݈ž7 ˆGÈ܈›7 ˆGÈƈ™7 ˆš7 ˆß5 ˆn‰˜7 ˆGÈȟ7 ˆ¡i ‰°7 ˆ¡i‰7 ˆ i‰7 ˆ i‰›7 ˆRichš7 ˆPELËÁl`à æ-<§Ÿ(.@à<€Ô£8(:øI\’4Р2@.Ô\†8€.text=å-æ- `.rdataFº .¼ ê-@@.dataœÀ8"¦8@À.gfidsø`:È9@@.tls €:Ú9@À.relocøI:JÜ9@B
base_address: 0x00400000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x006e0000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0078c000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x007a6000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x007a8000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x007a9000
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2616
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 6676
process_handle: 0x0000027c
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6856615
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000274
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000274
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x000002a8
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x000002b0
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x000002e0
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x0000032c
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x0000036c
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000370
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000374
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000378
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x0000036c
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000368
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x0000037c
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x000001dc
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x00000110
suspend_count: 1
process_identifier: 6676
1 0 0

NtResumeThread

 thread_handle: 0x000001dc
suspend_count: 1
process_identifier: 6676
1 0 0