Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 5, 2023, 7:40 a.m.	Oct. 5, 2023, 7:46 a.m.

Size	6.3MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`43793501051282b49746c790640bcf31`
SHA256	`8d838d8dfcbba6f068d455c39821bff5e4fa44008adb85a54106ac06f6382dfb`
CRC32	`60D1C57F`
ssdeep	`49152:HTICumncpTGb5g5qfc7/MnhsoieMc2h1+mlzB553puKaTMjrCGu4IELoy4HQQVka:`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

XZJ7pcVdxODBwEr.exe "C:\Users\test22\AppData\Local\Temp\XZJ7pcVdxODBwEr.exe"
1268
- U8I6SRP5.exe "C:\Users\test22\AppData\Roaming\Sun\U8I6SRP5.exe"
  2300
- CKM6BLNA.exe "C:\Users\test22\AppData\Local\Temp\{C89BF6CD-5599-48E1-B3A7-201639899E70}\CKM6BLNA.exe"
  2348

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 182.162.106.33 CNAME a1952.dscq.akamai.net A 182.162.106.32 CNAME identrust.edgesuite.net	23.67.53.27
checkip.dyndns.org	A 132.226.8.169 CNAME checkip.dyndns.com A 193.122.130.0 A 132.226.247.73 A 158.101.44.242 A 193.122.6.168	158.101.44.242
rakishev.org	A 104.21.20.56 A 172.67.191.205	172.67.191.205

IP Address	Status	Action
132.226.8.169	Active	Moloch
164.124.101.2	Active	Moloch
172.67.191.205	Active	Moloch
182.162.106.32	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 172.67.191.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 172.67.191.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 172.67.191.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 172.67.191.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 172.67.191.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2043238	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49165 -> 132.226.8.169:80	2021378	ET POLICY External IP Lookup - checkip.dyndns.org	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 172.67.191.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 172.67.191.205:443	C=US, O=Let's Encrypt, CN=E1	CN=rakishev.org	0c:42:8c:32:44:4b:bd:de:80:d0:00:61:41:12:03:95:25:52:06:2c
TLSv1 192.168.56.103:49174 172.67.191.205:443	None	None	None
TLSv1 192.168.56.103:49175 172.67.191.205:443	None	None	None
TLSv1 192.168.56.103:49170 172.67.191.205:443	C=US, O=Let's Encrypt, CN=E1	CN=rakishev.org	0c:42:8c:32:44:4b:bd:de:80:d0:00:61:41:12:03:95:25:52:06:2c
TLSv1 192.168.56.103:49171 172.67.191.205:443	C=US, O=Let's Encrypt, CN=E1	CN=rakishev.org	0c:42:8c:32:44:4b:bd:de:80:d0:00:61:41:12:03:95:25:52:06:2c
TLSv1 192.168.56.103:49167 172.67.191.205:443	C=US, O=Let's Encrypt, CN=E1	CN=rakishev.org	0c:42:8c:32:44:4b:bd:de:80:d0:00:61:41:12:03:95:25:52:06:2c

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 5, 2023, 7:40 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 5, 2023, 7:32 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:32 a.m.			0	0
IsDebuggerPresent Oct. 5, 2023, 7:40 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Mozilla Firefox\nss3.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 5, 2023, 7:32 a.m.		1	1	0

One or more processes crashed (16 events)

Time & API	Arguments	Status
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x8304f5 0x8301db CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x740493cb CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x7404940c CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x74049479 CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x74052723 CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x74052606 CoUninitializeEE-0x1b6a7 mscorwks+0xfd15 @ 0x7403fd15 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x74040033 0x4e083e CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 dc 8b 4d d8 e8 7c 4f 90 70 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x830788 registers.esp: 2810832 registers.edi: 2810856 registers.eax: 0 registers.ebp: 2810872 registers.edx: 158 registers.ebx: 2811012 registers.esi: 37597844 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x831032 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 00 6a 00 ff 70 08 6a 04 8b 15 14 21 3b 03 8b exception.instruction: cmp dword ptr [eax], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x831d4f registers.esp: 2812752 registers.edi: 2812928 registers.eax: 0 registers.ebp: 2812784 registers.edx: 2812692 registers.ebx: 2812988 registers.esi: 38144432 registers.ecx: 2812692	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: getJit+0xe3a4 mscorjit+0x534da @ 0x73c434da getJit+0x443a mscorjit+0x49570 @ 0x73c39570 getJit-0x40c50 mscorjit+0x44e6 @ 0x73bf44e6 getJit-0x40aca mscorjit+0x466c @ 0x73bf466c getJit-0x3fc12 mscorjit+0x5524 @ 0x73bf5524 getJit-0x3fa6b mscorjit+0x56cb @ 0x73bf56cb getJit-0x3f356 mscorjit+0x5de0 @ 0x73bf5de0 CoUninitializeEE+0x8a14 CreateAssemblyNameObject-0x12373 mscorwks+0x33dd0 @ 0x74063dd0 CoUninitializeEE+0x8aa9 CreateAssemblyNameObject-0x122de mscorwks+0x33e65 @ 0x74063e65 CoUninitializeEE+0x8b1c CreateAssemblyNameObject-0x1226b mscorwks+0x33ed8 @ 0x74063ed8 CoUninitializeEE+0x8895 CreateAssemblyNameObject-0x124f2 mscorwks+0x33c51 @ 0x74063c51 CoUninitializeEE+0x8657 CreateAssemblyNameObject-0x12730 mscorwks+0x33a13 @ 0x74063a13 CoUninitializeEE-0x1b547 mscorwks+0xfe75 @ 0x7403fe75 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x74040033 0x4e083e 0x837157 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2808700 registers.edi: 8534916 registers.eax: 2808700 registers.ebp: 2808780 registers.edx: 0 registers.ebx: 8 registers.esi: 8519696 registers.ecx: 1	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: getJit+0xe3a4 mscorjit+0x534da @ 0x73c434da getJit+0x443a mscorjit+0x49570 @ 0x73c39570 getJit-0x40c50 mscorjit+0x44e6 @ 0x73bf44e6 getJit-0x40aca mscorjit+0x466c @ 0x73bf466c getJit-0x3fc12 mscorjit+0x5524 @ 0x73bf5524 getJit-0x3fa6b mscorjit+0x56cb @ 0x73bf56cb getJit-0x3f356 mscorjit+0x5de0 @ 0x73bf5de0 CoUninitializeEE+0x8a14 CreateAssemblyNameObject-0x12373 mscorwks+0x33dd0 @ 0x74063dd0 CoUninitializeEE+0x8aa9 CreateAssemblyNameObject-0x122de mscorwks+0x33e65 @ 0x74063e65 CoUninitializeEE+0x8b1c CreateAssemblyNameObject-0x1226b mscorwks+0x33ed8 @ 0x74063ed8 CoUninitializeEE+0x8895 CreateAssemblyNameObject-0x124f2 mscorwks+0x33c51 @ 0x74063c51 CoUninitializeEE+0x8657 CreateAssemblyNameObject-0x12730 mscorwks+0x33a13 @ 0x74063a13 CoUninitializeEE-0x1b547 mscorwks+0xfe75 @ 0x7403fe75 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x74040033 0x4e083e 0x837157 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2808700 registers.edi: 8534916 registers.eax: 2808700 registers.ebp: 2808780 registers.edx: 0 registers.ebx: 8 registers.esi: 8519696 registers.ecx: 1	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x837503 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 07 68 ff ff ff 7f 6a 00 8b cf e8 9b 24 b7 6c exception.instruction: cmp dword ptr [edi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6131cd5 registers.esp: 2810760 registers.edi: 0 registers.eax: 39082424 registers.ebp: 2810812 registers.edx: 39082424 registers.ebx: 1 registers.esi: 39081516 registers.ecx: 1923964662	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x837511 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 07 68 ff ff ff 7f 6a 00 8b cf e8 9b 24 b7 6c exception.instruction: cmp dword ptr [edi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6131cd5 registers.esp: 2810760 registers.edi: 0 registers.eax: 39083568 registers.ebp: 2810812 registers.edx: 39083568 registers.ebx: 1 registers.esi: 39082660 registers.ecx: 1923964662	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 83 7f 08 01 0f 9f exception.instruction: cmp dword ptr [eax + 8], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x83755f registers.esp: 2810820 registers.edi: 0 registers.eax: 0 registers.ebp: 2812784 registers.edx: 2810760 registers.ebx: 1 registers.esi: 39079896 registers.ecx: 39083780	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x83866b 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 50 1b ad 6c 89 45 c4 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6132cd1 registers.esp: 2810752 registers.edi: 2810796 registers.eax: 0 registers.ebp: 2810812 registers.edx: 2810720 registers.ebx: 1 registers.esi: 39098976 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x838a37 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 e9 87 00 00 00 8b exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6132fff registers.esp: 2810756 registers.edi: 2810796 registers.eax: 3 registers.ebp: 2810812 registers.edx: 0 registers.ebx: 1 registers.esi: 39102464 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 83 7f 08 01 0f 9f exception.instruction: cmp dword ptr [eax + 8], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x838b22 registers.esp: 2810820 registers.edi: 38333368 registers.eax: 0 registers.ebp: 2812784 registers.edx: 0 registers.ebx: 1 registers.esi: 39099912 registers.ecx: 2810752	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x839882 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 af 0c ad 6c 89 45 bc 8b ce e8 1d 0e ad exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6133b72 registers.esp: 2810712 registers.edi: 0 registers.eax: 0 registers.ebp: 2810812 registers.edx: 2810680 registers.ebx: 1 registers.esi: 0 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 83 78 0c 00 0f 8e d3 03 00 00 ff 15 68 87 3c 00 exception.instruction: cmp dword ptr [eax + 0xc], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x83a775 registers.esp: 2810820 registers.edi: 38333368 registers.eax: 0 registers.ebp: 2812784 registers.edx: 37425560 registers.ebx: 1 registers.esi: 39130204 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: 0x83ab64 0x83188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x74056a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x74056a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x74056a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x740f6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x740f69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x740f6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x740f70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x740f6fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74877f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74874de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 ca ff ac 6c 83 78 04 00 0f 84 8f 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6134857 registers.esp: 2810720 registers.edi: 39136756 registers.eax: 0 registers.ebp: 2810812 registers.edx: 2810688 registers.ebx: 1 registers.esi: 39136548 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:41 a.m.	stacktrace: system+0x5ada48 @ 0x7280da48 mscorlib+0x1e843f @ 0x72c6843f mscorlib+0x1e83ab @ 0x72c683ab CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x74031b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x74048dde CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x740493cb CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x7404940c CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x74049479 CreateAssemblyNameObject+0xccc6 DllRegisterServerInternal-0x345d mscorwks+0x52e09 @ 0x74082e09 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x7408192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x740818cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x740817f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x7408197d CreateAssemblyNameObject+0xc655 DllRegisterServerInternal-0x3ace mscorwks+0x52798 @ 0x74082798 CreateAssemblyNameObject+0xcc46 DllRegisterServerInternal-0x34dd mscorwks+0x52d89 @ 0x74082d89 CreateAssemblyNameObject+0xcc75 DllRegisterServerInternal-0x34ae mscorwks+0x52db8 @ 0x74082db8 CreateAssemblyNameObject+0xcd1b DllRegisterServerInternal-0x3408 mscorwks+0x52e5e @ 0x74082e5e CreateAssemblyNameObject+0xc9dd DllRegisterServerInternal-0x3746 mscorwks+0x52b20 @ 0x74082b20 CreateAssemblyNameObject+0xc2ef DllRegisterServerInternal-0x3e34 mscorwks+0x52432 @ 0x74082432 GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x7419805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 00 6a 00 ff 70 08 6a 04 8b 15 14 21 3b 03 8b exception.instruction: cmp dword ptr [eax], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x61376be registers.esp: 116585328 registers.edi: 39258220 registers.eax: 0 registers.ebp: 116585360 registers.edx: 116585268 registers.ebx: 39182324 registers.esi: 39258248 registers.ecx: 116585268	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: ckm6blna+0x16a3 @ 0x4016a3 ckm6blna+0x12c9b8 @ 0x52c9b8 ckm6blna+0x113796 @ 0x513796 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff c7 45 fc fe ff exception.symbol: ckm6blna+0x110f exception.address: 0x40110f exception.module: CKM6BLNA.exe exception.exception_code: 0xc000001d exception.offset: 4367 registers.esp: 1637964 registers.edi: 5818768 registers.eax: 1 registers.ebp: 1638008 registers.edx: 582600 registers.ebx: 4294967295 registers.esi: 5818768 registers.ecx: 2457862144	1
__exception__ Oct. 5, 2023, 7:40 a.m.	stacktrace: ckm6blna+0x12c9b8 @ 0x52c9b8 ckm6blna+0x113796 @ 0x513796 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: f0 4b 6a 00 6a 00 6a 00 68 40 10 40 00 6a 00 6a exception.symbol: ckm6blna+0x16ca exception.instruction: dec ebx exception.module: CKM6BLNA.exe exception.exception_code: 0xc000001d exception.offset: 5834 exception.address: 0x4016ca registers.esp: 1638016 registers.edi: 5818768 registers.eax: 0 registers.ebp: 1638116 registers.edx: 0 registers.ebx: 4294967295 registers.esi: 5818768 registers.ecx: 1941101568	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://checkip.dyndns.org/

Connects to a Dynamic DNS Domain (1 event)

domain

checkip.dyndns.org

Performs some HTTP requests (2 events)

request	GET http://checkip.dyndns.org/
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 117 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93efc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:32 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2300 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74032000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:40 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Oct. 5, 2023, 7:40 a.m.	number_of_free_clusters: 2423236 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data

Looks up the external IP address (1 event)

domain

checkip.dyndns.org

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Sun\U8I6SRP5.exe
file	C:\Users\test22\AppData\Local\Temp\{C89BF6CD-5599-48E1-B3A7-201639899E70}\CKM6BLNA.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Oct. 5, 2023, 7:41 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\ScreenShot filepath: C:\Users\test22\AppData\Roaming\ScreenShot	1	1	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\{C89BF6CD-5599-48E1-B3A7-201639899E70}\CKM6BLNA.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\{C89BF6CD-5599-48E1-B3A7-201639899E70}\CKM6BLNA.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 5, 2023, 7:40 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 5, 2023, 7:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Oct. 5, 2023, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander		2	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 5, 2023, 7:40 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

U8I6SRP5.exe tried to sleep 2728468 seconds, actually delayed analysis time by 2728468 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MyOtApp

reg_value

C:\Users\test22\AppData\Roaming\Ja\Ja.exe

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Harvests information related to installed instant messenger clients (2 events)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
registry	HKEY_CURRENT_USER\Software\Paltalk

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Oct. 5, 2023, 7:40 a.m.	thread_identifier: 0 callback_function: 0x004e1682 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x008a0000	1	131557	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\Ja\Ja.exe:Zone.Identifier

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.MSIL.Binder.13
FireEye	Generic.mg.43793501051282b4
McAfee	GenericRXWI-VB!437935010512
Malwarebytes	Trojan.Binder.MSIL.Generic
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.MSIL.Binder.13
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/TrojanDropper.Agent.FEG
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Heur.MSIL.Binder.13
Avast	Win32:DropperX-gen [Drp]
Emsisoft	Gen:Heur.MSIL.Binder.13 (B)
F-Secure	Trojan.TR/Dropper.Gen2
DrWeb	Trojan.PackedNET.2424
VIPRE	Gen:Heur.MSIL.Binder.13
McAfee-GW-Edition	BehavesLike.Win32.Generic.vz
Trapmine	malicious.moderate.ml.score
Sophos	Mal/MsilDrop-A
Ikarus	Gen.MSIL.Krypt
Jiangmin	Trojan.MSIL.twon
Avira	TR/Dropper.Gen2
Kingsoft	malware.kb.c.1000
Xcitium	TrojWare.MSIL.Agent.GH@60rvah
Microsoft	Backdoor:MSIL/Remcos!atmn
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Heur.MSIL.Binder.13
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5486082
BitDefenderTheta	Gen:NN.ZemsilF.36738.@pW@aOzI46p
ALYac	Gen:Heur.MSIL.Binder.13
MAX	malware (ai score=81)
VBA32	Dropper.MSIL.gen
Cylance	unsafe
Rising	Dropper.Generic!8.35E (TFE:dGZlOgwTO/kFakrH0A)
SentinelOne	Static AI - Malicious PE
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.5e9ea2
DeepInstinct	MALICIOUS

XZJ7pcVdxODBwEr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All