Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 4, 2023, 10:27 a.m.	Oct. 4, 2023, 10:29 a.m.

Size	2.9MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5dd98f2b9f3dc468601411359cee78b8`
SHA256	`9d6419f4f4c7317619c4d2b7a13ece1b36af4894c1e76f940e789e5dc7f605f6`
CRC32	`A63A6DD9`
ssdeep	`49152:v5ocCidOXaLxKHHdPxc190Dxp2UZ9+hQnjkJt+dO39OxItwk0UGXlwetPCctu+hW:`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

hl.exe "C:\Users\test22\AppData\Local\Temp\hl.exe"
3016
- UG1ETGQP.exe "C:\Users\test22\AppData\Local\Temp\TCDDC40.tmp\UG1ETGQP.exe"
  1368

Name	Response	Post-Analysis Lookup
checkip.dyndns.org	A 132.226.8.169 CNAME checkip.dyndns.com A 193.122.130.0 A 132.226.247.73 A 158.101.44.242 A 193.122.6.168	193.122.6.168
rakishev.net	A 104.21.88.34 A 172.67.150.79	104.21.88.34

IP Address	Status	Action
104.21.88.34	Active	Moloch
164.124.101.2	Active	Moloch
193.122.6.168	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 193.122.6.168:80	2021378	ET POLICY External IP Lookup - checkip.dyndns.org	Device Retrieving External IP Address Detected
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2043238	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49169 -> 104.21.88.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 104.21.88.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49169 104.21.88.34:443	None	None	None
TLSv1 192.168.56.102:49167 104.21.88.34:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=rakishev.net	3b:3e:a0:2d:12:0b:4e:a8:2e:83:37:80:87:de:50:0f:14:a3:24:e9

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 4, 2023, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2023, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2023, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 4, 2023, 10:28 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 4, 2023, 10:20 a.m.			0	0
IsDebuggerPresent Oct. 4, 2023, 10:20 a.m.			0	0
IsDebuggerPresent Oct. 4, 2023, 10:27 a.m.			0	0
IsDebuggerPresent Oct. 4, 2023, 10:27 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 4, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05d04728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05d047a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2023, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05d047a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Mozilla Firefox\nss3.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 4, 2023, 10:20 a.m.		1	1	0

One or more processes crashed (14 events)

Time & API	Arguments	Status
__exception__ Oct. 4, 2023, 10:27 a.m.	stacktrace: 0x7e04d3 0x7e01c0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73de9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73de9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x73de9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x73de9fa2 DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x73f10f4d DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73ddbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73dc2ae9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 c1 eb exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7e07d5 registers.esp: 3992528 registers.edi: 3992552 registers.eax: 0 registers.ebp: 3992564 registers.edx: 195 registers.ebx: 3992848 registers.esi: 37928240 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7e4076 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 38 01 6a 00 ff 71 04 6a 04 8b 15 18 22 40 03 e8 exception.instruction: cmp byte ptr [ecx], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7e4caf registers.esp: 3994380 registers.edi: 3994504 registers.eax: 0 registers.ebp: 3994404 registers.edx: 38422172 registers.ebx: 3994692 registers.esi: 38404220 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: getJit+0x6183 clrjit+0x5aa9b @ 0x73c4aa9b getJit+0xf72e clrjit+0x64046 @ 0x73c54046 sxsJitStartup-0x52dd8 clrjit+0x1abc @ 0x73bf1abc sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73bf1c42 sxsJitStartup-0x52447 clrjit+0x244d @ 0x73bf244d sxsJitStartup-0x50878 clrjit+0x401c @ 0x73bf401c sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73bf4132 sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73bf4282 sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73bf4595 CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x73df3669 CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x73df3701 CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x73df3743 CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x73df399c CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x73df3496 CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x73df40db DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73ddbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73dc2ae9 0x7e97c7 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3989972 registers.edi: 7864336 registers.eax: 3989972 registers.ebp: 3990052 registers.edx: 0 registers.ebx: 1054720 registers.esi: 7880068 registers.ecx: 1	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: getJit+0x6183 clrjit+0x5aa9b @ 0x73c4aa9b getJit+0xf72e clrjit+0x64046 @ 0x73c54046 sxsJitStartup-0x52dd8 clrjit+0x1abc @ 0x73bf1abc sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73bf1c42 sxsJitStartup-0x52447 clrjit+0x244d @ 0x73bf244d sxsJitStartup-0x50878 clrjit+0x401c @ 0x73bf401c sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73bf4132 sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73bf4282 sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73bf4595 CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x73df3669 CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x73df3701 CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x73df3743 CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x73df399c CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x73df3496 CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x73df40db DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73ddbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73dc2ae9 0x7e97c7 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3989972 registers.edi: 7864336 registers.eax: 3989972 registers.ebp: 3990052 registers.edx: 0 registers.ebx: 1054720 registers.esi: 7880068 registers.ecx: 1	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7e9b1e 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 fa 2f f7 6b exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x658bcc6 registers.esp: 3992352 registers.edi: 0 registers.eax: 39232980 registers.ebp: 3992400 registers.edx: 39232980 registers.ebx: 1 registers.esi: 39232552 registers.ecx: 1914784146	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7e9b2c 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 fa 2f f7 6b exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x658bcc6 registers.esp: 3992352 registers.edi: 0 registers.eax: 39233688 registers.ebp: 3992400 registers.edx: 39233688 registers.ebx: 1 registers.esi: 39233260 registers.ecx: 1914784146	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [eax + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7e9b7a registers.esp: 3992408 registers.edi: 0 registers.eax: 0 registers.ebp: 3994404 registers.edx: 106479156 registers.ebx: 1 registers.esi: 39231300 registers.ecx: 39233944	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7ea9d3 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 39 09 e8 cb 3e ef 6b 89 45 c4 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x658cc1a registers.esp: 3992340 registers.edi: 3992384 registers.eax: 0 registers.ebp: 3992400 registers.edx: 3992308 registers.ebx: 1 registers.esi: 39243028 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7ead56 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x658cef9 registers.esp: 3992348 registers.edi: 3992388 registers.eax: 3 registers.ebp: 3992400 registers.edx: 0 registers.ebx: 1 registers.esi: 39250416 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [eax + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7eae41 registers.esp: 3992408 registers.edi: 38564800 registers.eax: 0 registers.ebp: 3994404 registers.edx: 0 registers.ebx: 1 registers.esi: 39249044 registers.ecx: 4415484	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7eb943 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 39 09 e8 00 31 ef 6b 89 45 a0 8b cf e8 52 31 ef exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x658d9e5 registers.esp: 3992272 registers.edi: 0 registers.eax: 0 registers.ebp: 3992400 registers.edx: 3992240 registers.ebx: 1 registers.esi: 0 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 39 09 e8 79 42 d1 71 85 c0 0f 8e bf 02 00 00 ff exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7ec620 registers.esp: 3992408 registers.edi: 38564800 registers.eax: 0 registers.ebp: 3994404 registers.edx: 37753384 registers.ebx: 1 registers.esi: 39279488 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 10:28 a.m.	stacktrace: 0x7ec900 0x7e483c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73dc2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73e874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73e87610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73f11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73f11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73f11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73f1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7446f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746f4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 39 09 e8 ae 21 ef 6b 83 78 04 00 0f 84 5c 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x658e937 registers.esp: 3992308 registers.edi: 3992384 registers.eax: 0 registers.ebp: 3992400 registers.edx: 3992276 registers.ebx: 1 registers.esi: 39284340 registers.ecx: 0	1
__exception__ Oct. 4, 2023, 10:29 a.m.	stacktrace: system+0x6fa816 @ 0x71f8a816 mscorlib+0x32de48 @ 0x7253de48 mscorlib+0x3022a6 @ 0x725122a6 mscorlib+0x32dd91 @ 0x7253dd91 mscorlib+0x32dc4c @ 0x7253dc4c mscorlib+0x32db05 @ 0x7253db05 mscorlib+0x32d9c8 @ 0x7253d9c8 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73dd264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73dd2e95 DllGetClassObjectInternal+0x4825c CorDllMainForThunk-0x4429f clr+0x10d2d5 @ 0x73ecd2d5 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73e37d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73e37dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73e37e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73dcc3bf DllGetClassObjectInternal+0x48208 CorDllMainForThunk-0x442f3 clr+0x10d281 @ 0x73ecd281 DllGetClassObjectInternal+0x48159 CorDllMainForThunk-0x443a2 clr+0x10d1d2 @ 0x73ecd1d2 DllGetClassObjectInternal+0x47f09 CorDllMainForThunk-0x445f2 clr+0x10cf82 @ 0x73eccf82 DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x73eaf54d DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73eda0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 38 01 6a 00 ff 71 04 6a 04 8b 15 18 22 40 03 e8 exception.instruction: cmp byte ptr [ecx], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x658f5d6 registers.esp: 116059916 registers.edi: 39341228 registers.eax: 0 registers.ebp: 116059940 registers.edx: 39356296 registers.ebx: 38576116 registers.esi: 39341244 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://checkip.dyndns.org/
suspicious_features	POST method with no referer header				suspicious_request	POST https://rakishev.net/wp-load.php

Connects to a Dynamic DNS Domain (1 event)

domain

checkip.dyndns.org

Performs some HTTP requests (2 events)

request	GET http://checkip.dyndns.org/
request	POST https://rakishev.net/wp-load.php

Sends data using the HTTP POST Method (1 event)

request

POST https://rakishev.net/wp-load.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 99 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef326b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bd4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9345a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9350c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9346c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9345c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9347b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9347d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9346d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9345b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:20 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9346a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 1368 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 1368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 1368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 1368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 1368 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 1368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 1368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 1368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Oct. 4, 2023, 10:28 a.m.	number_of_free_clusters: 1488998 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data

Looks up the external IP address (1 event)

domain

checkip.dyndns.org

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\TCDDC40.tmp\OCRASK3Y.exe
file	C:\Users\test22\AppData\Local\Temp\TCDDC40.tmp\UG1ETGQP.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Oct. 4, 2023, 10:29 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\ScreenShot filepath: C:\Users\test22\AppData\Roaming\ScreenShot	1	1	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\TCDDC40.tmp\OCRASK3Y.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\TCDDC40.tmp\OCRASK3Y.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 4, 2023, 10:27 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 4, 2023, 10:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Oct. 4, 2023, 10:28 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander		2	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 4, 2023, 10:28 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

UG1ETGQP.exe tried to sleep 223709539 seconds, actually delayed analysis time by 223709539 seconds

Harvests credentials from local FTP client softwares (4 events)

file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Harvests information related to installed instant messenger clients (2 events)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
registry	HKEY_CURRENT_USER\Software\Paltalk

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Oct. 4, 2023, 10:28 a.m.	thread_identifier: 0 callback_function: 0x00900f5a hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x009a0000	1	2621875	0

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Gen:Heur.MSIL.Binder.13
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Agent_AGen.BJQ
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Heur.MSIL.Binder.13
MicroWorld-eScan	Gen:Heur.MSIL.Binder.13
Avast	Win32:AutoIt-CRO [Trj]
Emsisoft	Gen:Heur.MSIL.Binder.13 (B)
F-Secure	Trojan.TR/Dropper.Gen2
VIPRE	Gen:Heur.MSIL.Binder.13
McAfee-GW-Edition	BehavesLike.Win32.Generic.vz
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.5dd98f2b9f3dc468
Sophos	Mal/MsilDrop-A
SentinelOne	Static AI - Malicious PE
GData	Gen:Heur.MSIL.Binder.13
Jiangmin	Trojan.MSIL.twon
Avira	TR/Dropper.Gen2
Xcitium	TrojWare.MSIL.Agent.GH@60rvah
Arcabit	Trojan.MSIL.Binder.13
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Backdoor:MSIL/Remcos!atmn
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5486082
McAfee	GenericRXWI-VB!5DD98F2B9F3D
MAX	malware (ai score=89)
VBA32	Dropper.MSIL.gen
Malwarebytes	Malware.AI.1368876704
Rising	Dropper.Generic!8.35E (TFE:dGZlOgwTO/kFakrH0A)
Ikarus	Gen.MSIL.Krypt
BitDefenderTheta	Gen:NN.ZemsilF.36738.4oW@a0lof@l
AVG	Win32:AutoIt-CRO [Trj]
Cybereason	malicious.3d16de
DeepInstinct	MALICIOUS

hl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All