Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 25, 2022, 6:48 p.m.	Sept. 25, 2022, 6:55 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f14153bbd95fc26d9ccea77c49cf09b9`
SHA256	`27eab496d0b63d52c18cee063110d9d479523b58426bfcb58e420a5cae087c54`
CRC32	`54DC8BD7`
ssdeep	`12288:aBVCrK2jsP3zv+FSF68GANNhWLS0B6L+FOCN+AzrnxdanvzFzho:SU7ecSgL6y+gk+rnxdarFu`
PDB Path	E:\Archives\Documents\krnl_bootstrapper\obj\Release\net472\krnl_bootstrapper.pdb
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description)

7za.exe "C:\Users\test22\Documents\krnl\7za.exe" x "C:\Users\test22\Documents\krnl\bin\Monaco.zip" -o"C:\Users\test22\Documents\krnl\bin" -aoa -bsp1
2768
7za.exe "C:\Users\test22\Documents\krnl\7za.exe" x "C:\Users\test22\Documents\krnl\bin\src.7z" -o"C:\Users\test22\Documents\krnl\bin" -aoa -bsp1
2956
krnlss.exe "C:\Users\test22\Documents\krnl\krnlss.exe"
2188

Name	Response	Post-Analysis Lookup
cdn.krnl.place	A 15.235.160.179 A 15.235.160.180 CNAME geo-routing.nexuspipe.com	15.235.160.180
k-storage.com	A 172.67.131.35 A 104.21.3.196	104.21.3.196
sslcom.repository.certum.pl	CNAME e99038.dscb.akamaiedge.net CNAME repository.certum.pl.edgekey.net A 23.43.165.169 A 23.43.165.161 CNAME repository.akamai.certum.pl	23.43.165.169

IP Address	Status	Action
104.21.3.196	Active	Moloch
15.235.160.180	Active	Moloch
164.124.101.2	Active	Moloch
23.43.165.169	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 15.235.160.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 15.235.160.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 15.235.160.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 15.235.160.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 15.235.160.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 104.21.3.196:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 15.235.160.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 15.235.160.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 104.21.3.196:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 104.21.3.196:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ab:99:2c:cc:ff:f8:76:fc:b9:fd:03:4f:b5:fa:51:49:01:32:12:54
TLSv1 192.168.56.103:49172 104.21.3.196:443	None	None	None

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 25, 2022, 6:49 p.m.			0	0
IsDebuggerPresent Sept. 25, 2022, 6:49 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 61 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d9078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d9078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d9078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d90f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d90f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d90f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d92b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d9378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d9378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d93b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e02e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e02e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e02eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e031b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e033b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03a70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2022, 6:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e03c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

E:\Archives\Documents\krnl_bootstrapper\obj\Release\net472\krnl_bootstrapper.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2022, 6:49 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://k-storage.com/krnl_bootstrapper.exe

Performs some HTTP requests (5 events)

request	GET http://sslcom.repository.certum.pl/ctnca.cer
request	GET https://k-storage.com/bootstrapperChecksum.txt
request	GET https://k-storage.com/krnl_bootstrapper.exe
request	GET https://k-storage.com/bootstrapper/files/hashes.txt
request	GET https://k-storage.com/bootstrapper/files/krnlss.exe.config

Allocates read-write-execute memory (usually to unpack itself) (50 out of 106 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00601000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05421000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05423000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05424000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2022, 6:49 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (50 out of 145 events)

file	C:\Users\test22\Documents\krnl\bin\src\System.Xml.XmlSerializer.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Net.Primitives.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Threading.Timer.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Dynamic.Runtime.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Threading.ThreadPool.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Diagnostics.Process.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Net.Http.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Diagnostics.StackTrace.dll
file	C:\Users\test22\Documents\krnl\bin\src\CefSharp.Test.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.IO.FileSystem.DriveInfo.dll
file	C:\Users\test22\Documents\krnl\bin\src\xunit.runner.visualstudio.testadapter.dll
file	C:\Users\test22\Documents\krnl\bin\Monaco\vs\basic-languages\lua\lua.js
file	C:\Users\test22\Documents\krnl\bin\src\Nito.AsyncEx.Context.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.ComponentModel.Primitives.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Xml.ReaderWriter.dll
file	C:\Users\test22\Documents\krnl\bin\src\CefSharp.Wpf.dll
file	C:\Users\test22\Documents\krnl\bin\Monaco\vs\base\worker\workerMain.js
file	C:\Users\test22\Documents\krnl\bin\src\System.Collections.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.ObjectModel.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.ComponentModel.TypeConverter.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Runtime.InteropServices.dll
file	C:\Users\test22\Documents\krnl\bin\Monaco\vs\editor\editor.main.nls.ko.js
file	C:\Users\test22\Documents\krnl\bin\src\System.Resources.ResourceManager.dll
file	C:\Users\test22\Documents\krnl\bin\src\CefSharp.OffScreen.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Runtime.Handles.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Xml.XmlDocument.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.IO.FileSystem.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Runtime.CompilerServices.VisualC.dll
file	C:\Users\test22\Documents\krnl\bin\src\Nito.Disposables.dll
file	C:\Users\test22\Documents\krnl\bin\Monaco\vs\editor\editor.main.nls.fr.js
file	C:\Users\test22\Documents\krnl\bin\src\System.Xml.XPath.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Globalization.Calendars.dll
file	C:\Users\test22\Documents\krnl\bin\Monaco\vs\editor\editor.main.nls.it.js
file	C:\Users\test22\Documents\krnl\bin\src\System.Xml.XPath.XDocument.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.IO.MemoryMappedFiles.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Diagnostics.FileVersionInfo.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Security.Cryptography.Encoding.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.IO.Compression.ZipFile.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Drawing.Primitives.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.IO.FileSystem.Primitives.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Runtime.Numerics.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.IO.Pipes.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Resources.Writer.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Threading.Tasks.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Net.NetworkInformation.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Runtime.Serialization.Primitives.dll
file	C:\Users\test22\Documents\krnl\bin\src\swiftshader\libEGL.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Threading.Overlapped.dll
file	C:\Users\test22\Documents\krnl\bin\src\System.Console.dll
file	C:\Users\test22\Documents\krnl\bin\src\Nito.Collections.Deque.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dll

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Avast	Win32:DangerousSig [Trj]
McAfee-GW-Edition	Artemis!Trojan
Webroot	W32.Trojan.Gen
Gridinsoft	Ransom.Win32.Wacatac.sa
AhnLab-V3	Unwanted/Win.GameHack.C5112324
McAfee	Artemis!F14153BBD95F
AVG	Win32:DangerousSig [Trj]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 25, 2022, 6:49 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 25, 2022, 6:48 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 25, 2022, 6:48 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 25, 2022, 6:48 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 25, 2022, 6:48 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 25, 2022, 6:48 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 25, 2022, 6:48 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 25, 2022, 6:49 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 25, 2022, 6:49 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

krnlss.exe tried to sleep 11785665689 seconds, actually delayed analysis time by 11785665689 seconds

Drops 61 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 61 events)

file	C:\Users\test22\Documents\krnl\bin\src\locales\nl.pak
file	C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ED90CF98D7FAD71C274722E4F54A256C
file	C:\Users\test22\Documents\krnl\bin\src\locales\it.pak
file	C:\Users\test22\Documents\krnl\bin\src\snapshot_blob.bin
file	C:\Users\test22\Documents\krnl\bin\src\locales\fil.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\he.pak
file	C:\Users\test22\Documents\krnl\bin\src\v8_context_snapshot.bin
file	C:\Users\test22\Documents\krnl\bin\src\locales\ja.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\ta.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\am.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\id.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\sr.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\hi.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\hu.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\ko.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\et.pak
file	C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ED90CF98D7FAD71C274722E4F54A256C
file	C:\Users\test22\Documents\krnl\bin\src\locales\ml.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\th.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\pt-PT.pak
file	C:\Users\test22\Documents\krnl\bin\src\cef.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\fi.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\fr.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\cs.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\bn.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\sw.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\en-US.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\en-GB.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\bg.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\lt.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\tr.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\lv.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\te.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\ca.pak
file	C:\Users\test22\Documents\krnl\bin\src\icudtl.dat
file	C:\Users\test22\Documents\krnl\bin\src\locales\ru.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\sl.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\zh-TW.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\vi.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\sk.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\ro.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\de.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\uk.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\mr.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\el.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\nb.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\ar.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\es-419.pak
file	C:\Users\test22\Documents\krnl\bin\src\locales\pt-BR.pak
file	C:\Users\test22\Documents\krnl\bin\src\devtools_resources.pak

krnl_bootstrapper.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All