Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 10, 2021, 9:29 p.m.	Aug. 10, 2021, 9:31 p.m.

Size	568.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`07684da40ad79495b5db6ddcf723bd8e`
SHA256	`683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff`
CRC32	`F83580A2`
ssdeep	`12288:1fIK0Xnn2SAXZUgKPLWg4+cLeWNTOg2d1yrvF:J4XnnzAX+zPqzLL3l2jyr`
PDB Path	c:\These_Follow\Pound\Fight\Love.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\611237846402f.dll,Parentinstrument
2476
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\611237846402f.dll,Spacethan
2576
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\611237846402f.dll,Fall
2272
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\611237846402f.dll,
2704

Name	Response	Post-Analysis Lookup
outlook.com	A 40.97.161.50 A 40.97.160.2 A 40.97.153.146 A 40.97.128.194 A 40.97.116.82 A 40.97.164.146 A 40.97.148.226 A 40.97.156.114	40.97.164.146
outlook.office365.com	A 40.100.48.82 CNAME outlook.ms-acdc.office.com CNAME outlook.ha.office365.com A 52.98.51.146 CNAME ICN-efz.ms-acdc.office.com A 40.100.49.2 A 40.100.48.98 A 52.98.51.162 A 40.100.51.18	40.100.52.18
www.outlook.com	A 40.100.48.82 A 40.100.51.18 CNAME outlook.ms-acdc.office.com CNAME outlook.ha.office365.com A 40.100.49.18 CNAME outlook.office365.com CNAME ICN-efz.ms-acdc.office.com A 40.100.49.34 A 40.100.50.114 A 40.100.48.98	40.101.144.98

IP Address	Status	Action
164.124.101.2	Active	Moloch
40.100.48.82	Active	Moloch
40.100.49.2	Active	Moloch
40.100.49.34	Active	Moloch
40.97.161.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49179 -> 40.100.49.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 40.97.161.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 40.100.49.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 40.97.161.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 40.100.49.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 40.100.48.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49179 40.100.49.34:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	8e:59:43:4e:03:70:3d:5a:f5:34:42:24:da:21:81:05:01:b1:20:6e
TLSv1 192.168.56.103:49176 40.97.161.50:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	0a:e2:86:8c:39:3d:57:df:34:f1:c2:be:9b:32:aa:f6:6e:76:42:5a
TLSv1 192.168.56.103:49180 40.100.49.34:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	8e:59:43:4e:03:70:3d:5a:f5:34:42:24:da:21:81:05:01:b1:20:6e
TLSv1 192.168.56.103:49177 40.97.161.50:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	0a:e2:86:8c:39:3d:57:df:34:f1:c2:be:9b:32:aa:f6:6e:76:42:5a
TLSv1 192.168.56.103:49181 40.100.49.2:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	8e:59:43:4e:03:70:3d:5a:f5:34:42:24:da:21:81:05:01:b1:20:6e
TLSv1 192.168.56.103:49182 40.100.48.82:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	8e:59:43:4e:03:70:3d:5a:f5:34:42:24:da:21:81:05:01:b1:20:6e

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name:		0
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name:		0
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name:		0
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name:		0
GetComputerNameW Aug. 10, 2021, 9:29 p.m.	computer_name: TEST22-PC	1	1

This executable has a PDB path (1 event)

pdb_path

c:\These_Follow\Pound\Fight\Love.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 10, 2021, 9:29 p.m.		1	1	0

Performs some HTTP requests (3 events)

request	GET https://outlook.com/tragli/JeFN0YgrW/72ge1K57HPfLT0V_2Bo2/xNEOvkt0nPz6Ld7W0_2/Fd5A_2B38SD5K_2BrZkIXO/vP1DDaBsBEZpi/nFFIjr82/y_2FpXXpoKGFESITR_2Fbcm/9Vmg9EPw3x/ujr996BAGYcBkxQRw/j9PzAGSA_2Fi/saoRPZU5DzQ/6Ey0JNKMyQmnwR/jwKTh1VHAc24Sc3kanHWr/oUw1lPv4pD6iqRdX/MKOFAVIzbW/Mfr.brw
request	GET https://www.outlook.com/tragli/JeFN0YgrW/72ge1K57HPfLT0V_2Bo2/xNEOvkt0nPz6Ld7W0_2/Fd5A_2B38SD5K_2BrZkIXO/vP1DDaBsBEZpi/nFFIjr82/y_2FpXXpoKGFESITR_2Fbcm/9Vmg9EPw3x/ujr996BAGYcBkxQRw/j9PzAGSA_2Fi/saoRPZU5DzQ/6Ey0JNKMyQmnwR/jwKTh1VHAc24Sc3kanHWr/oUw1lPv4pD6iqRdX/MKOFAVIzbW/Mfr.brw
request	GET https://outlook.office365.com/tragli/JeFN0YgrW/72ge1K57HPfLT0V_2Bo2/xNEOvkt0nPz6Ld7W0_2/Fd5A_2B38SD5K_2BrZkIXO/vP1DDaBsBEZpi/nFFIjr82/y_2FpXXpoKGFESITR_2Fbcm/9Vmg9EPw3x/ujr996BAGYcBkxQRw/j9PzAGSA_2Fi/saoRPZU5DzQ/6Ey0JNKMyQmnwR/jwKTh1VHAc24Sc3kanHWr/oUw1lPv4pD6iqRdX/MKOFAVIzbW/Mfr.brw

Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74140000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2476 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2476 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00792000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74140000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ec000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x767c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00802000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74140000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x767c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73991000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 10, 2021, 9:29 p.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731c1000 process_handle: 0xffffffff	1

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Elastic	malicious (high confidence)
Cyren	W32/Agent.BQN.gen!Eldorado
Avast	FileRepMalware
Rising	Trojan.Generic@ML.84 (RDML:YYSV8r/So8qYNsqElCv0fQ)
Ikarus	Trojan.Win32.Crypt
SentinelOne	Static AI - Suspicious PE
AVG	FileRepMalware

Disables proxy possibly for traffic interception (2 events)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 10, 2021, 9:29 p.m.	key_handle: 0x00000348 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0
RegSetValueExA Aug. 10, 2021, 9:29 p.m.	key_handle: 0x00000360 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

611237846402f.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All