Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 29, 2021, 9:48 a.m.	July 29, 2021, 9:51 a.m.

Size	388.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`e136a977901a98fb11493370926cfcf6`
SHA256	`dbdf67590cfb1a76b02700a7c91c11ddf0c75f5963e6d56020e983e15a65c5d9`
CRC32	`0256AB7D`
ssdeep	`6144:3wi7sK+CK0KLSGcUeinKOo15usoj8VOqR6Pu64LQTK:j/KWzinKnboj8sqRds2`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\joinpornhub.pdf.exe.dll,StartW
1540
- wermgr.exe C:\Windows\system32\wermgr.exe
  1036
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\joinpornhub.pdf.exe.dll,
1064

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
138.34.28.219	Active	Moloch
154.58.23.192	Active	Moloch
185.56.76.94	Active	Moloch
217.115.240.248	Active	Moloch
38.110.103.124	Active	Moloch
38.110.103.18	Active	Moloch
45.36.99.184	Active	Moloch
68.69.26.182	Active	Moloch
74.85.157.139	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 45.36.99.184:443	2404318	ET CNC Feodo Tracker Reported CnC Server group 19	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 45.36.99.184:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49166 -> 217.115.240.248:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49168 -> 138.34.28.219:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49169 -> 38.110.103.124:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 45.36.99.184:443 -> 192.168.56.103:49165	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.103:49171 -> 74.85.157.139:443	2404321	ET CNC Feodo Tracker Reported CnC Server group 22	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 38.110.103.18:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49165 45.36.99.184:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.103:49166 217.115.240.248:443	C=US, ST=GA, L=Canton, O=LigoWave LLC, OU=R&D, CN=LigoWave SSL CA	C=US, ST=GA, L=Canton, O=LigoWave LLC, OU=R&D, CN=LigoWave SSL CA	d3:39:ab:71:76:bb:9c:d2:1c:3e:b1:17:92:c7:3f:25:1f:25:f8:88
TLSv1 192.168.56.103:49168 138.34.28.219:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com	0f:6c:9c:c8:a9:10:1e:c8:98:3f:01:df:32:ad:f1:7f:5d:d0:4c:54
TLSv1 192.168.56.103:49169 38.110.103.124:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:EC:48:A1/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:EC:48:A1/emailAddress=support@ubnt.com	e6:60:4a:40:4a:b9:63:85:da:e8:fc:ec:75:e2:1a:7e:85:1f:49:1e
TLSv1 192.168.56.103:49172 38.110.103.18:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-B4:FB:E4:B8:30:7E/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-B4:FB:E4:B8:30:7E/emailAddress=support@ubnt.com	2e:0f:ca:9b:3e:95:2e:8f:f6:42:a6:1e:7a:21:66:83:0d:31:cb:c1

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 29, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 29, 2021, 9:48 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 29, 2021, 9:42 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd hook_in_monitor+0x45 lde-0x133 @ 0x746a42ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x746bbdb5 0x11e403 0xedd58 0x113e85 0xeddb0 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77769a5a registers.r14: 1158552 registers.r15: 976896 registers.rcx: 0 registers.rsi: 974168 registers.r10: 0 registers.rbx: 852103976 registers.rsp: 974160 registers.r11: 0 registers.r8: 5 registers.r9: 1953816320 registers.rdx: 2 registers.r12: 976864 registers.rbp: 0 registers.rdi: 976888 registers.rax: 1 registers.r13: 2001677168	1	0	0
__exception__ July 29, 2021, 9:43 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd hook_in_monitor+0x45 lde-0x133 @ 0x746a42ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x746bbdb5 0x11e403 0xedd58 0x113e85 0xeddb0 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77769a5a registers.r14: 1158552 registers.r15: 976896 registers.rcx: 0 registers.rsi: 974168 registers.r10: 0 registers.rbx: 852103976 registers.rsp: 974160 registers.r11: 0 registers.r8: 5 registers.r9: 1953816320 registers.rdx: 2 registers.r12: 976864 registers.rbp: 0 registers.rdi: 976888 registers.rax: 1 registers.r13: 2001677168	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 29, 2021, 9:42 a.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
hook_in_monitor+0x45 lde-0x133 @ 0x746a42ea
New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x746bbdb5
0x11e403
0xedd58
0x113e85
0xeddb0

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x77769a5a
registers.r14: 1158552
registers.r15: 976896
registers.rcx: 0
registers.rsi: 974168
registers.r10: 0
registers.rbx: 852103976
registers.rsp: 974160
registers.r11: 0
registers.r8: 5
registers.r9: 1953816320
registers.rdx: 2
registers.r12: 976864
registers.rbp: 0
registers.rdi: 976888
registers.rax: 1
registers.r13: 2001677168

__exception__

July 29, 2021, 9:43 a.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x746c6d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x777a1278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77769a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7751b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x746b05bd
hook_in_monitor+0x45 lde-0x133 @ 0x746a42ea
New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x746bbdb5
0x11e403
0xedd58
0x113e85
0xeddb0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://45.36.99.184/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://217.115.240.248/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/cookiechecker?uri=/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/index.html
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/login.cgi?uri=/index.html
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.103.124/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.103.18/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/

Performs some HTTP requests (8 events)

request	GET https://45.36.99.184/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
request	GET https://217.115.240.248/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
request	GET https://138.34.28.219/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
request	GET https://138.34.28.219/cookiechecker?uri=/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
request	GET https://138.34.28.219/index.html
request	GET https://138.34.28.219/login.cgi?uri=/index.html
request	GET https://38.110.103.124/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/
request	GET https://38.110.103.18/rob114/TEST22-PC_W617601.FBFF346F9DD8BB0683FDCCFB7BD71FF1/5/file/

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74131000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74080000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74051000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 29, 2021, 9:41 a.m.	process_identifier: 1036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 136 seconds, actually delayed analysis time by 136 seconds

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 29, 2021, 9:48 a.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01fb1000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 29, 2021, 9:42 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 29, 2021, 9:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 29, 2021, 9:48 a.m.	status_code: 0x00000000 process_identifier: 460 process_handle: 0x00000110		0	0
NtTerminateProcess July 29, 2021, 9:48 a.m.	status_code: 0x00000000 process_identifier: 460 process_handle: 0x00000110	1	0	0

Communicates with host for which no DNS query was performed (9 events)

host	138.34.28.219
host	154.58.23.192
host	185.56.76.94
host	217.115.240.248
host	38.110.103.124
host	38.110.103.18
host	45.36.99.184
host	68.69.26.182
host	74.85.157.139

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W32.AIDetect.malware1
MicroWorld-eScan	Trojan.GenericFCA.Agent.11063
ESET-NOD32	a variant of Generik.CEIVFVI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win32.Trickpak.gen
BitDefender	Trojan.GenericFCA.Agent.11063
Ad-Aware	Trojan.GenericFCA.Agent.11063
TrendMicro	TrojanSpy.Win32.TRICKBOT.TIGOCJS
FireEye	Trojan.GenericFCA.Agent.11063
GData	Win32.Trojan-Spy.TrickBot.CA0SRR
MAX	malware (ai score=82)
Kingsoft	Win32.Troj.Undef.(kcloud)
TrendMicro-HouseCall	TrojanSpy.Win32.TRICKBOT.TIGOCJS
eGambit	Unsafe.AI_Score_97%

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.103:49171
dead_host	74.85.157.139:443
dead_host	68.69.26.182:443
dead_host	185.56.76.94:443

joinpornhub.pdf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All