Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 5, 2023, 7:45 a.m.	Oct. 5, 2023, 7:51 a.m.

Size	183.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d3fc0eb99a8edffaf0a4c9a66ed91777`
SHA256	`2cddcb281a866b9161475a879856e59ecae640656c7cbaece0cc69f5c53ecd78`
CRC32	`0FC3DB0C`
ssdeep	`3072:OYtwCrULEAkH+LGP34oqKerVUzeeDXbwa21D59ua/aHyvZRQd2in:OYtBrUxqbwv`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) OS_Name_Check_Zero - OS Name Check Signature OS_Memory_Check_Zero - OS Memory Check OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware

KqxxD43gE6ehqZb.exe "C:\Users\test22\AppData\Local\Temp\KqxxD43gE6ehqZb.exe"
2636

Name	Response	Post-Analysis Lookup
checkip.dyndns.org	A 132.226.8.169 CNAME checkip.dyndns.com A 193.122.130.0 A 132.226.247.73 A 158.101.44.242 A 193.122.6.168	158.101.44.242
rakishev.net	A 104.21.88.34 A 172.67.150.79	104.21.88.34

IP Address	Status	Action
158.101.44.242	Active	Moloch
164.124.101.2	Active	Moloch
172.67.150.79	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2043238	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49162 -> 158.101.44.242:80	2021378	ET POLICY External IP Lookup - checkip.dyndns.org	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49164 -> 172.67.150.79:80	2034579	ET MALWARE AgentTesla Communicating with CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 172.67.150.79:80	2034579	ET MALWARE AgentTesla Communicating with CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 172.67.150.79:80	2034579	ET MALWARE AgentTesla Communicating with CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 172.67.150.79:80	2034579	ET MALWARE AgentTesla Communicating with CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 172.67.150.79:80	2034579	ET MALWARE AgentTesla Communicating with CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 172.67.150.79:80	2034579	ET MALWARE AgentTesla Communicating with CnC Server	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 5, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 5, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 5, 2023, 7:45 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Mozilla Firefox\nss3.dll

One or more processes crashed (15 events)

Time & API	Arguments	Status
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae04f5 0xae01db CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x728a93cb CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x728a940c CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x728a9479 CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x728b2723 CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x728b2606 CoUninitializeEE-0x1b6a7 mscorwks+0xfd15 @ 0x7289fd15 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x728a0033 0x60083e CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 ff 50 28 89 45 dc 8b 4d d8 e8 7c 4f d2 6f exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xae0788 registers.esp: 4319216 registers.edi: 4319240 registers.eax: 0 registers.ebp: 4319256 registers.edx: 158 registers.ebx: 4319396 registers.esi: 36944384 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae1032 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 00 6a 00 ff 70 08 6a 04 8b 15 14 21 31 03 8b exception.instruction: cmp dword ptr [eax], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xae1d4f registers.esp: 4321136 registers.edi: 4321312 registers.eax: 0 registers.ebp: 4321168 registers.edx: 4321076 registers.ebx: 4321372 registers.esi: 37497512 registers.ecx: 4321076	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0x5fee648 0x5fedef4 0xae4c33 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 41 0c 8b 49 04 ff d0 5d c3 00 00 a0 ff ab 00 exception.instruction: mov eax, dword ptr [ecx + 0xc] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5fee75c registers.esp: 4318944 registers.edi: 4319000 registers.eax: 0 registers.ebp: 4318944 registers.edx: 4318892 registers.ebx: 38306620 registers.esi: 38299836 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: getJit+0xe3a4 mscorjit+0x534da @ 0x73c234da getJit+0x443a mscorjit+0x49570 @ 0x73c19570 getJit-0x40c50 mscorjit+0x44e6 @ 0x73bd44e6 getJit-0x40aca mscorjit+0x466c @ 0x73bd466c getJit-0x3fc12 mscorjit+0x5524 @ 0x73bd5524 getJit-0x3fa6b mscorjit+0x56cb @ 0x73bd56cb getJit-0x3f356 mscorjit+0x5de0 @ 0x73bd5de0 CoUninitializeEE+0x8a14 CreateAssemblyNameObject-0x12373 mscorwks+0x33dd0 @ 0x728c3dd0 CoUninitializeEE+0x8aa9 CreateAssemblyNameObject-0x122de mscorwks+0x33e65 @ 0x728c3e65 CoUninitializeEE+0x8b1c CreateAssemblyNameObject-0x1226b mscorwks+0x33ed8 @ 0x728c3ed8 CoUninitializeEE+0x8895 CreateAssemblyNameObject-0x124f2 mscorwks+0x33c51 @ 0x728c3c51 CoUninitializeEE+0x8657 CreateAssemblyNameObject-0x12730 mscorwks+0x33a13 @ 0x728c3a13 CoUninitializeEE-0x1b547 mscorwks+0xfe75 @ 0x7289fe75 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x728a0033 0x60083e 0xae720f 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4317084 registers.edi: 11352964 registers.eax: 4317084 registers.ebp: 4317164 registers.edx: 0 registers.ebx: 8 registers.esi: 11337744 registers.ecx: 1	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: getJit+0xe3a4 mscorjit+0x534da @ 0x73c234da getJit+0x443a mscorjit+0x49570 @ 0x73c19570 getJit-0x40c50 mscorjit+0x44e6 @ 0x73bd44e6 getJit-0x40aca mscorjit+0x466c @ 0x73bd466c getJit-0x3fc12 mscorjit+0x5524 @ 0x73bd5524 getJit-0x3fa6b mscorjit+0x56cb @ 0x73bd56cb getJit-0x3f356 mscorjit+0x5de0 @ 0x73bd5de0 CoUninitializeEE+0x8a14 CreateAssemblyNameObject-0x12373 mscorwks+0x33dd0 @ 0x728c3dd0 CoUninitializeEE+0x8aa9 CreateAssemblyNameObject-0x122de mscorwks+0x33e65 @ 0x728c3e65 CoUninitializeEE+0x8b1c CreateAssemblyNameObject-0x1226b mscorwks+0x33ed8 @ 0x728c3ed8 CoUninitializeEE+0x8895 CreateAssemblyNameObject-0x124f2 mscorwks+0x33c51 @ 0x728c3c51 CoUninitializeEE+0x8657 CreateAssemblyNameObject-0x12730 mscorwks+0x33a13 @ 0x728c3a13 CoUninitializeEE-0x1b547 mscorwks+0xfe75 @ 0x7289fe75 CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x728a0033 0x60083e 0xae720f 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x2345678 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4317084 registers.edi: 11352964 registers.eax: 4317084 registers.ebp: 4317164 registers.edx: 0 registers.ebx: 8 registers.esi: 11337744 registers.ecx: 1	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae75bb 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 07 68 ff ff ff 7f 6a 00 8b cf e8 9b 24 fe 6b exception.instruction: cmp dword ptr [edi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5fd1cd5 registers.esp: 4319144 registers.edi: 0 registers.eax: 38356112 registers.ebp: 4319196 registers.edx: 38356112 registers.ebx: 1 registers.esi: 38355204 registers.ecx: 1910398710	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae75c9 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 07 68 ff ff ff 7f 6a 00 8b cf e8 9b 24 fe 6b exception.instruction: cmp dword ptr [edi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5fd1cd5 registers.esp: 4319144 registers.edi: 0 registers.eax: 38357256 registers.ebp: 4319196 registers.edx: 38357256 registers.ebx: 1 registers.esi: 38356348 registers.ecx: 1910398710	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 83 7f 08 01 0f 9f exception.instruction: cmp dword ptr [eax + 8], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xae7617 registers.esp: 4319204 registers.edi: 0 registers.eax: 0 registers.ebp: 4321168 registers.edx: 4319144 registers.ebx: 1 registers.esi: 38353684 registers.ecx: 38357468	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae8723 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 50 1b f4 6b 89 45 c4 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5fd2cd1 registers.esp: 4319136 registers.edi: 4319180 registers.eax: 0 registers.ebp: 4319196 registers.edx: 4319104 registers.ebx: 1 registers.esi: 38372960 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae8aef 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 e9 87 00 00 00 8b exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5fd2fff registers.esp: 4319140 registers.edi: 4319180 registers.eax: 3 registers.ebp: 4319196 registers.edx: 0 registers.ebx: 1 registers.esi: 38376448 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 83 7f 08 01 0f 9f exception.instruction: cmp dword ptr [eax + 8], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xae8bda registers.esp: 4319204 registers.edi: 37644740 registers.eax: 0 registers.ebp: 4321168 registers.edx: 0 registers.ebx: 1 registers.esi: 38373896 registers.ecx: 4319136	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae993a 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 af 0c f4 6b 89 45 bc 8b ce e8 1d 0e f4 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5fd3b72 registers.esp: 4319096 registers.edi: 0 registers.eax: 0 registers.ebp: 4319196 registers.edx: 4319064 registers.ebx: 1 registers.esi: 0 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 78 0c 00 0f 8e d3 03 00 00 ff 15 40 8c 57 00 exception.instruction: cmp dword ptr [eax + 0xc], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaea82d registers.esp: 4319204 registers.edi: 37644740 registers.eax: 0 registers.ebp: 4321168 registers.edx: 36770200 registers.ebx: 1 registers.esi: 38403972 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:45 a.m.	stacktrace: 0xaeac1c 0xae188a CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x72956a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x729569ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x72956eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x729570b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x72956fe4 _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 ca ff f3 6b 83 78 04 00 0f 84 8f 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5fd4857 registers.esp: 4319104 registers.edi: 38410508 registers.eax: 0 registers.ebp: 4319196 registers.edx: 4319072 registers.ebx: 1 registers.esi: 38410300 registers.ecx: 0	1
__exception__ Oct. 5, 2023, 7:46 a.m.	stacktrace: system+0x5ada48 @ 0x71b9da48 mscorlib+0x1e843f @ 0x71f7843f CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d GetMetaDataInternalInterface+0x492d _CorDllMain-0x8fa8 mscorwks+0x15fa60 @ 0x729efa60 GetMetaDataInternalInterface+0x4a83 _CorDllMain-0x8e52 mscorwks+0x15fbb6 @ 0x729efbb6 mscorlib+0x2356a7 @ 0x71fc56a7 mscorlib+0x2202d5 @ 0x71fb02d5 mscorlib+0x1e83ab @ 0x71f783ab CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x728a93cb CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x728a940c CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x728a9479 CreateAssemblyNameObject+0xccc6 DllRegisterServerInternal-0x345d mscorwks+0x52e09 @ 0x728e2e09 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x728e192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x728e18cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x728e17f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x728e197d CreateAssemblyNameObject+0xc655 DllRegisterServerInternal-0x3ace mscorwks+0x52798 @ 0x728e2798 CreateAssemblyNameObject+0xcc46 DllRegisterServerInternal-0x34dd mscorwks+0x52d89 @ 0x728e2d89 CreateAssemblyNameObject+0xcc75 DllRegisterServerInternal-0x34ae mscorwks+0x52db8 @ 0x728e2db8 CreateAssemblyNameObject+0xcd1b DllRegisterServerInternal-0x3408 mscorwks+0x52e5e @ 0x728e2e5e CreateAssemblyNameObject+0xc9dd DllRegisterServerInternal-0x3746 mscorwks+0x52b20 @ 0x728e2b20 CreateAssemblyNameObject+0xc2ef DllRegisterServerInternal-0x3e34 mscorwks+0x52432 @ 0x728e2432 GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x729f805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 00 6a 00 ff 70 08 6a 04 8b 15 14 21 31 03 8b exception.instruction: cmp dword ptr [eax], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5fd76de registers.esp: 115535184 registers.edi: 38492952 registers.eax: 0 registers.ebp: 115535216 registers.edx: 115535124 registers.ebx: 115535340 registers.esi: 38492980 registers.ecx: 115535124	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://checkip.dyndns.org/
suspicious_features	POST method with no referer header				suspicious_request	POST http://rakishev.net/wp-admin/admin-ajax.php

Connects to a Dynamic DNS Domain (1 event)

domain

checkip.dyndns.org

Performs some HTTP requests (2 events)

request	GET http://checkip.dyndns.org/
request	POST http://rakishev.net/wp-admin/admin-ajax.php

Sends data using the HTTP POST Method (1 event)

request

POST http://rakishev.net/wp-admin/admin-ajax.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 75 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00573000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00574000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00601000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00578000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00579000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fe1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 5, 2023, 7:45 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data

Looks up the external IP address (1 event)

domain

checkip.dyndns.org

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Oct. 5, 2023, 7:46 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\ScreenShot filepath: C:\Users\test22\AppData\Roaming\ScreenShot	1	1	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Oct. 5, 2023, 7:45 a.m.	newfilepath_r: C:\Users\test22\AppData\Local\Temp\\tmpG718.tmp flags: 8 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\KqxxD43gE6ehqZb.exe newfilepath: C:\Users\test22\AppData\Local\Temp\tmpG718.tmp oldfilepath: C:\Users\test22\AppData\Local\Temp\KqxxD43gE6ehqZb.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 5, 2023, 7:45 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 5, 2023, 7:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Oct. 5, 2023, 7:45 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander		2	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 5, 2023, 7:45 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

KqxxD43gE6ehqZb.exe tried to sleep 2728557 seconds, actually delayed analysis time by 2728557 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Harvests information related to installed instant messenger clients (2 events)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
registry	HKEY_CURRENT_USER\Software\Paltalk

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Oct. 5, 2023, 7:45 a.m.	thread_identifier: 0 callback_function: 0x00601682 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00c00000	1	328051	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.Common.7804CBF5
Lionic	Trojan.Win32.Agensla.4!c
MicroWorld-eScan	Generic.MSIL.PasswordStealerA.3F30DD76
McAfee	Trojan-FPEL!D3FC0EB99A8E
Malwarebytes	Generic.Malware.AI.DDS
Sangfor	Virus.Win32.Save.a
Alibaba	Trojan:Win32/Tesla.190225
Cybereason	malicious.bd061e
Arcabit	Generic.MSIL.PasswordStealerA.3F30DD76
VirIT	Trojan.Win32.GenusT.DROL
Cyren	W32/MSIL_Troj.E.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Autorun.Spy.Agent.DF
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Malware.AgentTesla-6952874-1
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.a
BitDefender	Generic.MSIL.PasswordStealerA.3F30DD76
Avast	MSIL:IELib-A [Trj]
Tencent	Msil.Trojan-QQPass.QQRob.Twhl
Emsisoft	Generic.MSIL.PasswordStealerA.3F30DD76 (B)
F-Secure	Malware.LNK/Runner.VPGD
DrWeb	BackDoor.RatNET.2
VIPRE	Generic.MSIL.PasswordStealerA.3F30DD76
TrendMicro	TrojanSpy.Win32.NEGASTEAL.YXDJDZ
McAfee-GW-Edition	Trojan-FPEL!D3FC0EB99A8E
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.d3fc0eb99a8edffa
Sophos	Troj/MSIL-TBO
Ikarus	Trojan-Spy.AgentTesla
Jiangmin	TrojanSpy.MSIL.anna
Webroot	W32.Trojan.MSIL.AGensla
Avira	LNK/Runner.VPGD
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi
Kingsoft	malware.kb.c.999
Gridinsoft	Spy.Win32.Agent.zv!ni
Xcitium	Malware@#1g4htknad4vll
Microsoft	Backdoor:MSIL/Remcos!atmn
ViRobot	Trojan.Win.Z.Agent.187392.AV
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.a
GData	MSIL.Malware.Bucaspys.A
Google	Detected
AhnLab-V3	Trojan/Win32.Bladabindi.C3246972
VBA32	Trojan.MSIL.AgentTesla.PInv.Heur
MAX	malware (ai score=80)
Cylance	unsafe
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TrojanSpy.Win32.NEGASTEAL.YXDJDZ
Rising	Spyware.AgentTesla!1.B864 (CLASSIC)

KqxxD43gE6ehqZb.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All