Summary | ZeroBOX

BR.exe

Themida Admin Tool (Sysinternals etc ...) UPX PE File PE32 .NET EXE
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 7, 2023, 9:25 a.m. Aug. 7, 2023, 9:36 a.m.
Size 2.7MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c895da0796fc8d1b87c7212ef1e5b0b7
SHA256 38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689
CRC32 E327CFA9
ssdeep 49152:52bivgTXZviuMgqQMVylgJzXW/AlxCaOzn3oHuIhv3O6AlyWCpIW+l:lgTXtiuMgqQWX5XIqQxj3BIx+6aSWJ
Yara
  • UPX_Zero - UPX packed file
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature
  • themida_packer - themida packer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
pastebin.com 172.67.34.170
IP Address Status Action
103.100.211.218 Active Moloch
164.124.101.2 Active Moloch
172.67.34.170 Active Moloch
95.143.190.57 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49165 -> 172.67.34.170:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49165
172.67.34.170:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com c7:af:cc:81:4d:27:d1:4c:7c:f4:bf:5d:55:9d:80:50:3b:6f:6c:cd

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x002f9ef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x002f9ef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x002f9db0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section
section .themida
section .boot
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
br+0x428e54 @ 0x828e54
br+0x422d34 @ 0x822d34

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 5f 43 fd 8a 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1638148
registers.edi: 5431296
registers.eax: 1638148
registers.ebp: 1638228
registers.edx: 2130566132
registers.ebx: 1969225702
registers.esi: 2006021163
registers.ecx: 795410432
1 0 0

__exception__

stacktrace:

        
      
      
      
exception.instruction_r: ed e9 20 6d 06 00 c3 e9 07 89 01 00 14 7e 70 1d
exception.symbol: br+0x446930
exception.instruction: in eax, dx
exception.module: BR.exe
exception.exception_code: 0xc0000096
exception.offset: 4483376
exception.address: 0x846930
registers.esp: 1638268
registers.edi: 7246527
registers.eax: 1750617430
registers.ebp: 5431296
registers.edx: 2130532438
registers.ebx: 0
registers.esi: 6605385
registers.ecx: 20
1 0 0

__exception__

stacktrace:

        
      
      
      
exception.instruction_r: ed e9 8a f7 06 00 9d 6b b3 24 6a 00 be a3 e1 c2
exception.symbol: br+0x42e339
exception.instruction: in eax, dx
exception.module: BR.exe
exception.exception_code: 0xc0000096
exception.offset: 4383545
exception.address: 0x82e339
registers.esp: 1638268
registers.edi: 7246527
registers.eax: 1447909480
registers.ebp: 5431296
registers.edx: 22104
registers.ebx: 2256917605
registers.esi: 6605385
registers.ecx: 10
1 0 0

__exception__

stacktrace:
0x5974cac
0x5974c68
0x4ef65b2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3

exception.instruction_r: 8b 4e 04 8d 83 c6 fe ff ff 8b 15 44 38 9f 03 3b
exception.instruction: mov ecx, dword ptr [esi + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5976212
registers.esp: 1635448
registers.edi: 44450860
registers.eax: 93807104
registers.ebp: 1635460
registers.edx: 44450860
registers.ebx: 326
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

stacktrace:
0x5974cac
0x5974c68
0x4ef65b2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3

exception.instruction_r: 8b 4e 04 8d 83 c6 fe ff ff 8b 15 44 38 9f 03 3b
exception.instruction: mov ecx, dword ptr [esi + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5976212
registers.esp: 1635448
registers.edi: 44606756
registers.eax: 44606756
registers.ebp: 1635460
registers.edx: 44606756
registers.ebx: 326
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

stacktrace:
0x5974cac
0x5974c68
0x4ef65b2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3

exception.instruction_r: 8b 4e 04 8d 83 c6 fe ff ff 8b 15 44 38 9f 03 3b
exception.instruction: mov ecx, dword ptr [esi + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5976212
registers.esp: 1635448
registers.edi: 44748280
registers.eax: 44748280
registers.ebp: 1635460
registers.edx: 44748280
registers.ebx: 326
registers.esi: 0
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/V1mwGj8h
request GET https://pastebin.com/raw/V1mwGj8h
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755ff000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75608000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75443000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7559d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7559c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7559c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7580c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7559c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7559b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a8000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a8000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7581c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a8000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a8000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7580c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7586f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757f7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7559e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7580c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755a4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7580a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7580a000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00043400', u'virtual_address': u'0x00002000', u'entropy': 7.986677836534138, u'name': u' ', u'virtual_size': u'0x00076000'} entropy 7.98667783653 description A section with a high entropy has been found
section {u'size_of_data': u'0x00016e00', u'virtual_address': u'0x00078000', u'entropy': 7.943097064600425, u'name': u' ', u'virtual_size': u'0x00090bba'} entropy 7.9430970646 description A section with a high entropy has been found
section {u'size_of_data': u'0x00241800', u'virtual_address': u'0x004e4000', u'entropy': 7.938139634138896, u'name': u'.boot', u'virtual_size': u'0x00241800'} entropy 7.93813963414 description A section with a high entropy has been found
entropy 0.954943679599 description Overall entropy of this PE file is high
process system
host 103.100.211.218
host 95.143.190.57
Time & API Arguments Status Return Repeated

FindWindowA

class_name: OLLYDBG
window_name:
0 0

FindWindowA

class_name: GBDYLLO
window_name:
0 0

FindWindowA

class_name: pediy06
window_name:
0 0

FindWindowA

class_name: FilemonClass
window_name:
0 0

FindWindowA

class_name: FilemonClass
window_name:
0 0

FindWindowA

class_name: #0
window_name: File Monitor - Sysinternals: www.sysinternals.com
0 0

FindWindowA

class_name: PROCMON_WINDOW_CLASS
window_name:
0 0

FindWindowA

class_name: #0
window_name: Process Monitor - Sysinternals: www.sysinternals.com
0 0

FindWindowA

class_name: RegmonClass
window_name:
0 0

FindWindowA

class_name: RegmonClass
window_name:
0 0

FindWindowA

class_name: Registry Monitor - Sysinternals: www.sysinternals.com
window_name:
0 0

FindWindowA

class_name: 18467-41
window_name:
0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

information_class: 76 (SystemFirmwareTableInformation)
3221225507 0
Time & API Arguments Status Return Repeated

__exception__

stacktrace:

        
      
      
      
exception.instruction_r: ed e9 8a f7 06 00 9d 6b b3 24 6a 00 be a3 e1 c2
exception.symbol: br+0x42e339
exception.instruction: in eax, dx
exception.module: BR.exe
exception.exception_code: 0xc0000096
exception.offset: 4383545
exception.address: 0x82e339
registers.esp: 1638268
registers.edi: 7246527
registers.eax: 1447909480
registers.ebp: 5431296
registers.edx: 22104
registers.ebx: 2256917605
registers.esi: 6605385
registers.ecx: 10
1 0 0
dead_host 95.143.190.57:15647
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Convagent.trYj
MicroWorld-eScan Trojan.GenericKD.68411144
CAT-QuickHeal Trojanpws.Msil
McAfee Artemis!C895DA0796FC
Malwarebytes Backdoor.Bot
VIPRE Trojan.GenericKD.68411144
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Riskware ( 00584baa1 )
Alibaba TrojanPSW:MSIL/Reline.7c6fe276
K7GW Riskware ( 00584baa1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D413DF08
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 MSIL/Agent.CKL
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky Trojan-PSW.MSIL.Reline.ulk
BitDefender Trojan.GenericKD.68411144
NANO-Antivirus Virus.Win32.Gen-Crypt.ccnc
Avast Win32:DropperX-gen [Drp]
Tencent Malware.Win32.Gencirc.13eb3e80
Sophos Mal/Generic-S
F-Secure Trojan.TR/RedLine.tzrht
DrWeb Trojan.PWS.RedLine.99
TrendMicro TrojanSpy.Win32.REDLINE.YXDG3Z
McAfee-GW-Edition BehavesLike.Win32.Generic.vc
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.c895da0796fc8d1b
Emsisoft Trojan.GenericKD.68411144 (B)
Ikarus Trojan.RedLine
Webroot W32.Trojan.GenKD
Avira TR/RedLine.tzrht
MAX malware (ai score=85)
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Ransom.Win32.Wacatac.cl
Xcitium Malware@#1x2vrmqtf2w4l
Microsoft Trojan:Win32/Casdet!rfn
ZoneAlarm Trojan-PSW.MSIL.Reline.ulk
GData Trojan.GenericKD.68411144
Google Detected
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.36348.UE0@aiblBPni
ALYac Trojan.GenericKD.68411144
VBA32 BScope.TrojanPSW.MSIL.Reline
Cylance unsafe
Panda Trj/Genetic.gen
Zoner Probably Heur.ExeHeaderL
TrendMicro-HouseCall TrojanSpy.Win32.REDLINE.YXDG3Z