Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 5, 2021, 9:41 a.m.	Aug. 5, 2021, 9:47 a.m.

Size	587.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`3693d70402a26fa0810d8ea85c95c954`
SHA256	`9a4e3fd33a4d3f520dfacdd0c80526b550b9235d999c2cc438eda0f204c8cae6`
CRC32	`CCBBDE78`
ssdeep	`12288:WH+2g21CB8nlb8uYhkOH7OlgUoL/guZm:cJY8lb853+oT9m`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

wwerfyr.exe "C:\Users\test22\AppData\Local\Temp\wwerfyr.exe"
2064
- AddInProcess32.exe "C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe"
  2292

Name	Response	Post-Analysis Lookup
www.google.com	A 142.250.199.68	142.250.196.132
www.epcdiagnostic.com	CNAME epcdiagnostic.com A 185.221.202.118	185.221.202.118

IP Address	Status	Action
142.250.199.68	Active	Moloch
164.124.101.2	Active	Moloch
185.221.202.118	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49161 -> 142.250.199.68:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49163 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 185.221.202.118:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49168 -> 185.221.202.118:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.221.202.118:443 -> 192.168.56.102:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 185.221.202.118:80	2025885	ET MALWARE AZORult Variant.4 Checkin M2	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49161 142.250.199.68:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com	9f:0e:42:2d:88:e4:7b:df:08:66:47:16:63:48:02:84:a4:89:de:8e
TLSv1 192.168.56.102:49163 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	e6:d6:8f:e4:5e:31:2c:7f:a5:1a:6c:d5:bb:5c:15:c6:54:47:bf:47

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 5, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 5, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 5, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Aug. 5, 2021, 9:41 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 5, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003637d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00363850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 5, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00363850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 5, 2021, 9:41 a.m.		1	1	0

One or more processes crashed (10 events)

Time & API	Arguments	Status
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37302892 registers.esi: 37304184 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303004 registers.esi: 37329748 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303116 registers.esi: 37336992 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303228 registers.esi: 37344228 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303340 registers.esi: 37351464 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303452 registers.esi: 37358708 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303564 registers.esi: 37365944 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303676 registers.esi: 37373188 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303788 registers.esi: 37380432 registers.ecx: 1911573806	1
__exception__ Aug. 5, 2021, 9:41 a.m.	stacktrace: 0xa22855 0xa22587 0xa22099 0xa20194 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 40 04 3b 45 dc 0f 95 c0 0f b6 c0 85 c0 74 17 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa238ab registers.esp: 3272044 registers.edi: 37304888 registers.eax: 0 registers.ebp: 3272136 registers.edx: 0 registers.ebx: 37303900 registers.esi: 37387676 registers.ecx: 1911573806	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://www.epcdiagnostic.com/wp-content/rem/cach/index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://www.bing.com/

Performs some HTTP requests (3 events)

request	POST http://www.epcdiagnostic.com/wp-content/rem/cach/index.php
request	GET https://www.google.com/
request	GET https://www.bing.com/

Sends data using the HTTP POST Method (1 event)

request

POST http://www.epcdiagnostic.com/wp-content/rem/cach/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 89 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a71000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a72000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e6a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 15872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e90400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 5, 2021, 9:41 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00092200', u'virtual_address': u'0x00002000', u'entropy': 6.814963958551926, u'name': u'.text', u'virtual_size': u'0x000921b4'}

entropy

6.81496395855

description

A section with a high entropy has been found

entropy

0.995741056218

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 5, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (16 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2292 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000670	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 5, 2021, 9:41 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

wwerfyr.exe tried to sleep 8184503 seconds, actually delayed analysis time by 8184503 seconds

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàø¡°@@ÐàXCODE$ `DATA°@ÀBSS]ÀÀ.idataÐ@À.relocXà¦@PÆ@P base_address: 0x00400000 process_identifier: 2292 process_handle: 0x00000670	1	1
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿ<P@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëdÈAÈÈAÇA ÇAÀÈAàÉAüÆAìÈAðÆAÈAlÇA`ÈA¤ÆA`ÉAèÉAÈA°ÈA ÊA<ÇAÇAÉAdÇAlÆAÈÉAPÈA(ÇAÄÉA¼ÈAìÉA´ÈAÈAÈApÉAÉA$ÉAÉAÔÇAXÈAÇA¸ÆA@ÉAÄÈAÇAÊA$ÈA\ÈAÆAÈAÉAÊAÀÆAÈA´°AHÈA¨ÈA@ÈA0ÊA\|ÈALÉA¼ÉAÔÈAôÇAÜÉAxÉAÇAtÈAÈA°ÉA$ÊA¸ÇA ÉAÄÊA\ÉA\|ÉA0ÈAèÈAäÉAÈApÈAÈAXÇAøÆAHÉA0ÇAäÈAÌÈA\|ÆA<ÈA4ÈAÈAÆAÈAèÆA\|ÇAÇAÇA8ÇAhÉAÌÉAÉADÈAàÈA,ÉA ÈA°ÇAÉA¨ÉA¸°A¸ÈAäÆAüÇA@ÊAÜÇA8ÉA°°AÊA¼ÆAÐÈA(ÊA´ÆA(ÈAdÉAdÆAÄÇALÊAèÇAÉA<ÉAÊAxÈAìÆAÐÉAÉAØÈA<ÊAØÇAÉA°ÆAÜÈA¬ÉA$ÇA0ÉAÈAdÊAØ°ALÈATÉA ÉAüÈA¼°AÈAÆA ÇAÊA¬ÈAXÉAôÈAÊA ÈAlÈAÉAÇA,ÊA8ÈAÉA4ÉAðÈAÇAÆA ÆA4ÇAÊA¬ÆALÇAHÊAäÇAÈA´ÇA¬ÇAÆAøÇAtÉAÉAÉAPÉAHÇAÈAôÆAÈÆA@ÇA\ÇA¬°A¼ÊAÀÉADÊAàÇAôÉAÔÉA4ÊA¤ÉAøÉAÇAøÈA,ÈAÉAüÉATÈAðÇA(ÉAlÉADÉAÈAÄÆAÇAÆAhÈA¸ÉAðÉA¤ÈAØÉA8ÊAÆA,ÇAÉAhÆAÉADÇAPÊAìÇA¼ÇA base_address: 0x0041b000 process_identifier: 2292 process_handle: 0x00000670	1	1
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2292 process_handle: 0x00000670	1	1
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2292 process_handle: 0x00000670	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàø¡°@@ÐàXCODE$ `DATA°@ÀBSS]ÀÀ.idataÐ@À.relocXà¦@PÆ@P base_address: 0x00400000 process_identifier: 2292 process_handle: 0x00000670	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2064 called NtSetContextThread to modify thread in remote process 2292
NtSetContextThread Aug. 5, 2021, 9:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4301304 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000066c process_identifier: 2292	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\wwerfyr.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2064 resumed a thread in remote process 2292
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x0000066c suspend_count: 1 process_identifier: 2292	1	0	0

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x00000638 suspend_count: 1 process_identifier: 2064	1	0
NtGetContextThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x00000668 suspend_count: 1 process_identifier: 2064	1	0
CreateProcessInternalW Aug. 5, 2021, 9:41 a.m.	thread_identifier: 2296 thread_handle: 0x0000066c process_identifier: 2292 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\AddInProcess32.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000670	1	1
NtGetContextThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x0000066c	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 2292 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000670	1	0
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàø¡°@@ÐàXCODE$ `DATA°@ÀBSS]ÀÀ.idataÐ@À.relocXà¦@PÆ@P base_address: 0x00400000 process_identifier: 2292 process_handle: 0x00000670	1	1
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: base_address: 0x00401000 process_identifier: 2292 process_handle: 0x00000670	1	1
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿ<P@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëdÈAÈÈAÇA ÇAÀÈAàÉAüÆAìÈAðÆAÈAlÇA`ÈA¤ÆA`ÉAèÉAÈA°ÈA ÊA<ÇAÇAÉAdÇAlÆAÈÉAPÈA(ÇAÄÉA¼ÈAìÉA´ÈAÈAÈApÉAÉA$ÉAÉAÔÇAXÈAÇA¸ÆA@ÉAÄÈAÇAÊA$ÈA\ÈAÆAÈAÉAÊAÀÆAÈA´°AHÈA¨ÈA@ÈA0ÊA\|ÈALÉA¼ÉAÔÈAôÇAÜÉAxÉAÇAtÈAÈA°ÉA$ÊA¸ÇA ÉAÄÊA\ÉA\|ÉA0ÈAèÈAäÉAÈApÈAÈAXÇAøÆAHÉA0ÇAäÈAÌÈA\|ÆA<ÈA4ÈAÈAÆAÈAèÆA\|ÇAÇAÇA8ÇAhÉAÌÉAÉADÈAàÈA,ÉA ÈA°ÇAÉA¨ÉA¸°A¸ÈAäÆAüÇA@ÊAÜÇA8ÉA°°AÊA¼ÆAÐÈA(ÊA´ÆA(ÈAdÉAdÆAÄÇALÊAèÇAÉA<ÉAÊAxÈAìÆAÐÉAÉAØÈA<ÊAØÇAÉA°ÆAÜÈA¬ÉA$ÇA0ÉAÈAdÊAØ°ALÈATÉA ÉAüÈA¼°AÈAÆA ÇAÊA¬ÈAXÉAôÈAÊA ÈAlÈAÉAÇA,ÊA8ÈAÉA4ÉAðÈAÇAÆA ÆA4ÇAÊA¬ÆALÇAHÊAäÇAÈA´ÇA¬ÇAÆAøÇAtÉAÉAÉAPÉAHÇAÈAôÆAÈÆA@ÇA\ÇA¬°A¼ÊAÀÉADÊAàÇAôÉAÔÉA4ÊA¤ÉAøÉAÇAøÈA,ÈAÉAüÉATÈAðÇA(ÉAlÉADÉAÈAÄÆAÇAÆAhÈA¸ÉAðÉA¤ÈAØÉA8ÊAÆA,ÇAÉAhÆAÉADÇAPÊAìÇA¼ÇA base_address: 0x0041b000 process_identifier: 2292 process_handle: 0x00000670	1	1
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2292 process_handle: 0x00000670	1	1
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: base_address: 0x0041e000 process_identifier: 2292 process_handle: 0x00000670	1	1
WriteProcessMemory Aug. 5, 2021, 9:41 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2292 process_handle: 0x00000670	1	1
NtSetContextThread Aug. 5, 2021, 9:41 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4301304 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000066c process_identifier: 2292	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x0000066c suspend_count: 1 process_identifier: 2292	1	0
NtResumeThread Aug. 5, 2021, 9:41 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2292	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.46734597
Cylance	Unsafe
K7AntiVirus	Trojan ( 0058043f1 )
Alibaba	TrojanPSW:MSIL/Kryptik.dbdd674d
K7GW	Trojan ( 0058043f1 )
Arcabit	Trojan.Generic.D2C91D05
Cyren	W32/MSIL_Kryptik.DSR.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ACEZ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Coins.gen
BitDefender	Trojan.GenericKD.46734597
MicroWorld-eScan	Trojan.GenericKD.46734597
Avast	Win32:TrojanX-gen [Trj]
Ad-Aware	Trojan.GenericKD.46734597
Comodo	TrojWare.Win32.Agent.tvbyf@0
McAfee-GW-Edition	BehavesLike.Win32.Generic.hh
FireEye	Generic.mg.3693d70402a26fa0
Emsisoft	Trojan.GenericKD.46734597 (B)
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.jwufx
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Trojan.GenericKD.46734597
McAfee	PWS-FCSO!3693D70402A2
MAX	malware (ai score=84)
TrendMicro-HouseCall	TROJ_GEN.R06CH0CH321
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ACEZ!tr
BitDefenderTheta	Gen:NN.ZemsilF.34058.Km0@aWzAWWb
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Heur.Generic.HwMAueAA

wwerfyr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All