Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 30, 2021, 10:24 a.m.	July 30, 2021, 10:45 a.m.

Size	600.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`8dcc2d557edcd14aa33dd738ea58f937`
SHA256	`cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4`
CRC32	`BB5CD5CF`
ssdeep	`12288:gjBb925xIKt+wxNoC2NXH0tndFqvK9tZHkS1oKfqe9KS:A25xIKwlNEtdAvKjLzfES`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\downloaddocument.do.dll,StartW
2096
- wermgr.exe C:\Windows\system32\wermgr.exe
  2304
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\downloaddocument.do.dll,
2204

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
138.34.28.219	Active	Moloch
154.58.23.192	Active	Moloch
164.124.101.2	Active	Moloch
185.56.76.108	Active	Moloch
185.56.76.28	Active	Moloch
185.56.76.94	Active	Moloch
217.115.240.248	Active	Moloch
24.162.214.166	Active	Moloch
38.110.100.142	Active	Moloch
38.110.103.18	Active	Moloch
45.36.99.184	Active	Moloch
60.51.47.65	Active	Moloch
68.69.26.182	Active	Moloch
97.83.40.67	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 60.51.47.65:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 60.51.47.65:443 -> 192.168.56.102:49164	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49169 -> 38.110.103.18:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49168 -> 38.110.100.142:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49166 -> 97.83.40.67:443	2404324	ET CNC Feodo Tracker Reported CnC Server group 25	A Network Trojan was detected
TCP 192.168.56.102:49172 -> 24.162.214.166:443	2404315	ET CNC Feodo Tracker Reported CnC Server group 16	A Network Trojan was detected
TCP 192.168.56.102:49175 -> 45.36.99.184:443	2404318	ET CNC Feodo Tracker Reported CnC Server group 19	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 97.83.40.67:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49175 -> 45.36.99.184:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49172 -> 24.162.214.166:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 97.83.40.67:443 -> 192.168.56.102:49166	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 45.36.99.184:443 -> 192.168.56.102:49175	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 24.162.214.166:443 -> 192.168.56.102:49172	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49174 -> 217.115.240.248:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49177 -> 138.34.28.219:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49164 60.51.47.65:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02
TLSv1 192.168.56.102:49169 38.110.103.18:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-B4:FB:E4:B8:30:7E/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-B4:FB:E4:B8:30:7E/emailAddress=support@ubnt.com	2e:0f:ca:9b:3e:95:2e:8f:f6:42:a6:1e:7a:21:66:83:0d:31:cb:c1
TLSv1 192.168.56.102:49168 38.110.100.142:443	C=US, ST=NY, L=New York, O=Ubiquiti Inc., OU=Technical Support, CN=UBNT-18:E8:29:1F:F2:01/emailAddress=support@ui.com	C=US, ST=NY, L=New York, O=Ubiquiti Inc., OU=Technical Support, CN=UBNT-18:E8:29:1F:F2:01/emailAddress=support@ui.com	f1:bf:98:64:45:62:e6:de:5f:a4:b5:d9:2a:11:e4:6f:21:99:7b:61
TLSv1 192.168.56.102:49166 97.83.40.67:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49175 45.36.99.184:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49172 24.162.214.166:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49174 217.115.240.248:443	C=US, ST=GA, L=Canton, O=LigoWave LLC, OU=R&D, CN=LigoWave SSL CA	C=US, ST=GA, L=Canton, O=LigoWave LLC, OU=R&D, CN=LigoWave SSL CA	d3:39:ab:71:76:bb:9c:d2:1c:3e:b1:17:92:c7:3f:25:1f:25:f8:88
TLSv1 192.168.56.102:49177 138.34.28.219:443	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com	C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com	0f:6c:9c:c8:a9:10:1e:c8:98:3f:01:df:32:ad:f1:7f:5d:d0:4c:54

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 30, 2021, 10:17 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2021, 10:24 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ July 30, 2021, 10:17 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x7440bdb5 0xad8d3 0x25df38 0xb4d05 0x25df90 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 742360 registers.r15: 2484704 registers.rcx: 0 registers.rsi: 2481976 registers.r10: 0 registers.rbx: 853218088 registers.rsp: 2481968 registers.r11: 0 registers.r8: 5 registers.r9: 1950998272 registers.rdx: 2 registers.r12: 2484672 registers.rbp: 0 registers.rdi: 2484696 registers.rax: 1 registers.r13: 1988766576	1
__exception__ July 30, 2021, 10:17 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x7440bdb5 0xad8d3 0x25df38 0xb4d05 0x25df90 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 742360 registers.r15: 2484704 registers.rcx: 0 registers.rsi: 2481976 registers.r10: 0 registers.rbx: 853218088 registers.rsp: 2481968 registers.r11: 0 registers.r8: 5 registers.r9: 1950998272 registers.rdx: 2 registers.r12: 2484672 registers.rbp: 0 registers.rdi: 2484696 registers.rax: 1 registers.r13: 1988766576	1
__exception__ July 30, 2021, 10:18 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x7440bdb5 0xad8d3 0x25df38 0xb4d05 0x25df90 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 742360 registers.r15: 2484704 registers.rcx: 0 registers.rsi: 2481976 registers.r10: 0 registers.rbx: 853218088 registers.rsp: 2481968 registers.r11: 0 registers.r8: 5 registers.r9: 1950998272 registers.rdx: 2 registers.r12: 2484672 registers.rbp: 0 registers.rdi: 2484696 registers.rax: 1 registers.r13: 1988766576	1
__exception__ July 30, 2021, 10:18 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x7440bdb5 0xad8d3 0x25df38 0xb4d05 0x25df90 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 742360 registers.r15: 2484704 registers.rcx: 0 registers.rsi: 2481976 registers.r10: 0 registers.rbx: 853218088 registers.rsp: 2481968 registers.r11: 0 registers.r8: 5 registers.r9: 1950998272 registers.rdx: 2 registers.r12: 2484672 registers.rbp: 0 registers.rdi: 2484696 registers.rax: 1 registers.r13: 1988766576	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://60.51.47.65/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://97.83.40.67/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.100.142/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.100.142/cookiechecker?uri=/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.100.142/index.html
suspicious_features	Connection to IP address	suspicious_request	GET https://38.110.103.18/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://24.162.214.166/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://217.115.240.248/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://45.36.99.184/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/cookiechecker?uri=/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/index.html
suspicious_features	Connection to IP address	suspicious_request	GET https://138.34.28.219/login.cgi?uri=/index.html

Performs some HTTP requests (13 events)

request	GET https://60.51.47.65/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://97.83.40.67/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://38.110.100.142/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://38.110.100.142/cookiechecker?uri=/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://38.110.100.142/index.html
request	GET https://38.110.103.18/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://24.162.214.166/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://217.115.240.248/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://45.36.99.184/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://138.34.28.219/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://138.34.28.219/cookiechecker?uri=/rob116/TEST22-PC_W617601.8B538ABB9337784DFF0195FB9533B201/5/file/
request	GET https://138.34.28.219/index.html
request	GET https://138.34.28.219/login.cgi?uri=/index.html

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10052000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fc1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f30000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e41000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e42000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 30, 2021, 10:16 a.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 148 seconds, actually delayed analysis time by 148 seconds

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x020d1000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 30, 2021, 10:17 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003e000', u'virtual_address': u'0x00055000', u'entropy': 7.841039572691421, u'name': u'.rsrc', u'virtual_size': u'0x0003d798'}

entropy

7.84103957269

description

A section with a high entropy has been found

entropy

0.41610738255

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 30, 2021, 10:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 30, 2021, 10:24 a.m.	status_code: 0x00000000 process_identifier: 2268 process_handle: 0x00000118		0	0
NtTerminateProcess July 30, 2021, 10:24 a.m.	status_code: 0x00000000 process_identifier: 2268 process_handle: 0x00000118	1	0	0

Communicates with host for which no DNS query was performed (13 events)

host	138.34.28.219
host	154.58.23.192
host	185.56.76.108
host	185.56.76.28
host	185.56.76.94
host	217.115.240.248
host	24.162.214.166
host	38.110.100.142
host	38.110.103.18
host	45.36.99.184
host	60.51.47.65
host	68.69.26.182
host	97.83.40.67

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	Artemis!8DCC2D557EDC
CrowdStrike	win/malicious_confidence_90% (W)
K7GW	Trojan ( 00579dbe1 )
K7AntiVirus	Trojan ( 00579dbe1 )
Symantec	ML.Attribute.HighConfidence
Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win32.Trickpak.gen
McAfee-GW-Edition	BehavesLike.Win32.Ramnit.jc
FireEye	Generic.mg.8dcc2d557edcd14a
Sophos	ML/PE-A
APEX	Malicious
ZoneAlarm	UDS:DangerousObject.Multi.Generic
SentinelOne	Static AI - Malicious PE

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	185.56.76.28:443
dead_host	192.168.56.102:49167
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49165
dead_host	185.56.76.108:443
dead_host	192.168.56.102:49171
dead_host	68.69.26.182:443
dead_host	185.56.76.94:443

downloaddocument.do

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All