Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 3, 2024, 7:45 a.m.	May 3, 2024, 7:50 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9108c53602981487b7b44c2729fbd5bc`
SHA256	`2c488e98376128ded83147178dce23035dbcb4f58788adeb0ba2f097b4bda3c0`
CRC32	`693157A6`
ssdeep	`49152:aGY5918NqwTEgTcaG4026MAOjNvPKrQOWnbXlG6+4j8zAvxS:7hTd0h+jN6V4YzX`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

sarra.exe "C:\Users\test22\AppData\Local\Temp\sarra.exe"
776
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2600
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2688

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166

IP Address	Status	Action
167.71.205.181	Active	Moloch
104.26.5.15	Active	Moloch
147.45.47.93	Active	Moloch
164.124.101.2	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 147.45.47.93:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 147.45.47.93:58709 -> 192.168.56.103:49166	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 104.26.5.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 3, 2024, 7:48 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 3, 2024, 7:48 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 3, 2024, 7:45 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:45 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:45 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:46 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 3, 2024, 7:48 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW May 3, 2024, 7:48 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	mmjalsks
section	amdkirph
section	.taggant

One or more processes crashed (50 out of 113 events)

Time & API	Arguments	Status
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: sarra+0x4420b9 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 4464825 exception.address: 0xda20b9 registers.esp: 1899324 registers.edi: 0 registers.eax: 1 registers.ebp: 1899340 registers.edx: 15994880 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 4d fe ff ff 68 d1 1b ef 57 8b 0c 24 81 c4 exception.symbol: sarra+0x195340 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1659712 exception.address: 0xaf5340 registers.esp: 1899288 registers.edi: 1971192040 registers.eax: 11488627 registers.ebp: 4001509396 registers.edx: 9830400 registers.ebx: 11533311 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 89 14 24 68 a6 8d exception.symbol: sarra+0x194ffe exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1658878 exception.address: 0xaf4ffe registers.esp: 1899292 registers.edi: 1971192040 registers.eax: 11518826 registers.ebp: 4001509396 registers.edx: 9830400 registers.ebx: 11533311 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 b9 ae 00 3f 7f e9 f9 fe ff ff 56 exception.symbol: sarra+0x194fcb exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1658827 exception.address: 0xaf4fcb registers.esp: 1899292 registers.edi: 1971192040 registers.eax: 11491766 registers.ebp: 4001509396 registers.edx: 9830400 registers.ebx: 240873 registers.esi: 3 registers.ecx: 0	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 39 ff 34 24 ff 34 24 e9 96 f9 ff exception.symbol: sarra+0x19677e exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1664894 exception.address: 0xaf677e registers.esp: 1899292 registers.edi: 11519520 registers.eax: 26401 registers.ebp: 4001509396 registers.edx: 1918131110 registers.ebx: 240873 registers.esi: 3 registers.ecx: 0	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 81 ea 04 00 00 00 exception.symbol: sarra+0x1967a6 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1664934 exception.address: 0xaf67a6 registers.esp: 1899292 registers.edi: 11519520 registers.eax: 26401 registers.ebp: 4001509396 registers.edx: 1259 registers.ebx: 240873 registers.esi: 3 registers.ecx: 4294943812	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 55 e9 a6 fc ff ff 53 81 34 24 6f 9d ff 3f 5f exception.symbol: sarra+0x31d178 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3264888 exception.address: 0xc7d178 registers.esp: 1899288 registers.edi: 11528298 registers.eax: 27059 registers.ebp: 4001509396 registers.edx: 2345 registers.ebx: 1597440 registers.esi: 13094212 registers.ecx: 1382678528	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 50 e9 11 02 00 00 8b 0c 24 81 c4 04 00 00 00 exception.symbol: sarra+0x31d15a exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3264858 exception.address: 0xc7d15a registers.esp: 1899292 registers.edi: 11528298 registers.eax: 4294943264 registers.ebp: 4001509396 registers.edx: 2345 registers.ebx: 2298801283 registers.esi: 13121271 registers.ecx: 1382678528	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 e9 62 fc ff ff 81 exception.symbol: sarra+0x32348e exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3290254 exception.address: 0xc8348e registers.esp: 1899292 registers.edi: 4003299612 registers.eax: 4294938720 registers.ebp: 4001509396 registers.edx: 2748855391 registers.ebx: 13150791 registers.esi: 2298801283 registers.ecx: 478926890	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 53 89 e3 52 ba 04 00 00 00 01 d3 5a 81 eb 04 exception.symbol: sarra+0x32408a exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3293322 exception.address: 0xc8408a registers.esp: 1899292 registers.edi: 4294939512 registers.eax: 30525 registers.ebp: 4001509396 registers.edx: 1688422163 registers.ebx: 1695107640 registers.esi: 13153246 registers.ecx: 1259	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 58 09 00 00 57 bf 00 exception.symbol: sarra+0x32fa23 exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3340835 exception.address: 0xc8fa23 registers.esp: 1899284 registers.edi: 6106855 registers.eax: 1447909480 registers.ebp: 4001509396 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 13154586 registers.ecx: 20	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: sarra+0x32cee7 exception.address: 0xc8cee7 exception.module: sarra.exe exception.exception_code: 0xc000001d exception.offset: 3329767 registers.esp: 1899284 registers.edi: 6106855 registers.eax: 1 registers.ebp: 4001509396 registers.edx: 22104 registers.ebx: 0 registers.esi: 13154586 registers.ecx: 20	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 53 2c 2d 12 01 exception.symbol: sarra+0x32faae exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3340974 exception.address: 0xc8faae registers.esp: 1899284 registers.edi: 6106855 registers.eax: 1447909480 registers.ebp: 4001509396 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13154586 registers.ecx: 10	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 51 e8 03 00 00 00 20 59 c3 59 exception.symbol: sarra+0x334578 exception.instruction: int 1 exception.module: sarra.exe exception.exception_code: 0xc0000005 exception.offset: 3360120 exception.address: 0xc94578 registers.esp: 1899252 registers.edi: 0 registers.eax: 1899252 registers.ebp: 4001509396 registers.edx: 2607611477 registers.ebx: 13190905 registers.esi: 1458566143 registers.ecx: 59467	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 56 51 68 83 30 45 7b 89 34 24 be 09 f1 fd 6f exception.symbol: sarra+0x335072 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3362930 exception.address: 0xc95072 registers.esp: 1899292 registers.edi: 6106855 registers.eax: 13222943 registers.ebp: 4001509396 registers.edx: 0 registers.ebx: 48115937 registers.esi: 13189288 registers.ecx: 1202211840	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 51 e9 98 00 00 00 52 89 e2 56 be 61 c2 6f 6e exception.symbol: sarra+0x334b10 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3361552 exception.address: 0xc94b10 registers.esp: 1899292 registers.edi: 0 registers.eax: 13194835 registers.ebp: 4001509396 registers.edx: 2283 registers.ebx: 48115937 registers.esi: 13189288 registers.ecx: 1202211840	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 0a 07 00 00 89 e5 e9 73 05 00 00 exception.symbol: sarra+0x342f38 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3419960 exception.address: 0xca2f38 registers.esp: 1899292 registers.edi: 0 registers.eax: 31807 registers.ebp: 4001509396 registers.edx: 262633 registers.ebx: 48116159 registers.esi: 1971262480 registers.ecx: 13253411	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 68 db f2 41 28 e9 6d fa ff ff 89 34 24 89 1c exception.symbol: sarra+0x346862 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3434594 exception.address: 0xca6862 registers.esp: 1899280 registers.edi: 0 registers.eax: 32550 registers.ebp: 4001509396 registers.edx: 13263166 registers.ebx: 48116159 registers.esi: 1971262480 registers.ecx: 345403332	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 52 89 1c 24 89 04 24 55 e9 53 04 00 00 89 e1 exception.symbol: sarra+0x346588 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3433864 exception.address: 0xca6588 registers.esp: 1899284 registers.edi: 4294937704 registers.eax: 32550 registers.ebp: 4001509396 registers.edx: 13295716 registers.ebx: 48116159 registers.esi: 3909414019 registers.ecx: 345403332	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 9d cf 31 1f 89 04 24 52 e9 00 00 exception.symbol: sarra+0x34754c exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3437900 exception.address: 0xca754c registers.esp: 1899284 registers.edi: 962537 registers.eax: 13299130 registers.ebp: 4001509396 registers.edx: 13295716 registers.ebx: 2276596 registers.esi: 3909414019 registers.ecx: 4294937476	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 a6 1e 6e 7e 81 2c 24 1a 04 8b 6b exception.symbol: sarra+0x34b26f exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3453551 exception.address: 0xcab26f registers.esp: 1899284 registers.edi: 962537 registers.eax: 29593 registers.ebp: 4001509396 registers.edx: 13311309 registers.ebx: 322270405 registers.esi: 3909414019 registers.ecx: 13295716	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 68 6c 9b e4 7b 89 2c 24 89 04 24 b8 92 08 f1 exception.symbol: sarra+0x34aaca exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3451594 exception.address: 0xcaaaca registers.esp: 1899284 registers.edi: 962537 registers.eax: 0 registers.ebp: 4001509396 registers.edx: 13284873 registers.ebx: 322270405 registers.esi: 84201 registers.ecx: 13295716	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 13 ff 34 24 e9 c4 01 00 00 b8 4a exception.symbol: sarra+0x358963 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3508579 exception.address: 0xcb8963 registers.esp: 1899284 registers.edi: 2315054117 registers.eax: 27126 registers.ebp: 4001509396 registers.edx: 13364833 registers.ebx: 793137963 registers.esi: 13333898 registers.ecx: 1382678528	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 50 e9 5d 01 00 00 59 e9 72 01 00 00 81 ed 6a exception.symbol: sarra+0x3587b0 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3508144 exception.address: 0xcb87b0 registers.esp: 1899284 registers.edi: 116969 registers.eax: 27126 registers.ebp: 4001509396 registers.edx: 13364833 registers.ebx: 4294942972 registers.esi: 13333898 registers.ecx: 1382678528	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 91 06 00 00 c1 ee 06 f7 d6 83 ee ff f7 d6 exception.symbol: sarra+0x36db34 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3595060 exception.address: 0xccdb34 registers.esp: 1899248 registers.edi: 13424271 registers.eax: 29393 registers.ebp: 4001509396 registers.edx: 2130566132 registers.ebx: 16 registers.esi: 13437823 registers.ecx: 2143986803	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 68 c0 98 76 10 89 1c 24 89 2c 24 50 89 e0 e9 exception.symbol: sarra+0x36e36e exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3597166 exception.address: 0xcce36e registers.esp: 1899252 registers.edi: 13453664 registers.eax: 29393 registers.ebp: 4001509396 registers.edx: 2130566132 registers.ebx: 16 registers.esi: 13437823 registers.ecx: 2143986803	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 55 89 14 24 51 89 04 24 83 ec 04 89 1c 24 e9 exception.symbol: sarra+0x36d98a exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3594634 exception.address: 0xccd98a registers.esp: 1899252 registers.edi: 13427596 registers.eax: 29393 registers.ebp: 4001509396 registers.edx: 2130566132 registers.ebx: 322689 registers.esi: 0 registers.ecx: 2143986803	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 81 c3 0e 4d 69 3f e9 44 00 00 00 fb e9 88 f9 exception.symbol: sarra+0x36ec3f exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3599423 exception.address: 0xccec3f registers.esp: 1899248 registers.edi: 13427596 registers.eax: 29972 registers.ebp: 4001509396 registers.edx: 1129110961 registers.ebx: 13427968 registers.esi: 0 registers.ecx: 869686730	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 53 89 e3 81 c3 04 00 00 00 51 52 ba 95 69 f9 exception.symbol: sarra+0x36ed23 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3599651 exception.address: 0xcced23 registers.esp: 1899252 registers.edi: 13427596 registers.eax: 29972 registers.ebp: 4001509396 registers.edx: 1129110961 registers.ebx: 13457940 registers.esi: 0 registers.ecx: 869686730	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 88 f9 ff ff 68 fc b7 1e 74 e9 f3 01 00 00 exception.symbol: sarra+0x36ec4b exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3599435 exception.address: 0xccec4b registers.esp: 1899252 registers.edi: 13427596 registers.eax: 29972 registers.ebp: 4001509396 registers.edx: 0 registers.ebx: 13431112 registers.esi: 604292947 registers.ecx: 869686730	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 53 55 bd 50 58 ed 4b 89 eb e9 43 fa ff ff 51 exception.symbol: sarra+0x36f951 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3602769 exception.address: 0xccf951 registers.esp: 1899252 registers.edi: 1442867808 registers.eax: 25970 registers.ebp: 4001509396 registers.edx: 0 registers.ebx: 1615656402 registers.esi: 13434387 registers.ecx: 1038955328	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 81 c3 f7 75 7f 7f 81 c3 f9 08 6f 5b 52 ba 20 exception.symbol: sarra+0x3738a0 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3618976 exception.address: 0xcd38a0 registers.esp: 1899248 registers.edi: 13435086 registers.eax: 29598 registers.ebp: 4001509396 registers.edx: 0 registers.ebx: 13449094 registers.esi: 13434418 registers.ecx: 1969225870	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 56 be 00 11 b9 7d 81 ce f2 20 ff 7f e9 60 01 exception.symbol: sarra+0x37414d exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3621197 exception.address: 0xcd414d registers.esp: 1899252 registers.edi: 0 registers.eax: 29598 registers.ebp: 4001509396 registers.edx: 0 registers.ebx: 13452352 registers.esi: 13434418 registers.ecx: 607422802	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 68 db f1 9c 04 e9 7d 00 00 00 b9 4a 2c fa ec exception.symbol: sarra+0x37957c exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3642748 exception.address: 0xcd957c registers.esp: 1899248 registers.edi: 4001509396 registers.eax: 29253 registers.ebp: 4001509396 registers.edx: 13463704 registers.ebx: 13471256 registers.esi: 26890912 registers.ecx: 13462327	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 1f ff 34 24 ff 34 24 58 e9 b3 07 exception.symbol: sarra+0x378f5b exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3641179 exception.address: 0xcd8f5b registers.esp: 1899252 registers.edi: 4001509396 registers.eax: 29253 registers.ebp: 4001509396 registers.edx: 13463704 registers.ebx: 13500509 registers.esi: 26890912 registers.ecx: 13462327	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 7e 04 00 00 5c e9 15 02 00 00 81 04 24 41 exception.symbol: sarra+0x378fec exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3641324 exception.address: 0xcd8fec registers.esp: 1899252 registers.edi: 4294940528 registers.eax: 1298993512 registers.ebp: 4001509396 registers.edx: 13463704 registers.ebx: 13500509 registers.esi: 26890912 registers.ecx: 13462327	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 51 e9 05 03 00 00 52 ba 04 00 00 00 81 c5 a8 exception.symbol: sarra+0x379db4 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3644852 exception.address: 0xcd9db4 registers.esp: 1899252 registers.edi: 4294940528 registers.eax: 13499936 registers.ebp: 4001509396 registers.edx: 515438273 registers.ebx: 157417 registers.esi: 26890912 registers.ecx: 4294944172	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 55 68 af f0 a7 26 89 3c 24 55 bd 91 27 c3 15 exception.symbol: sarra+0x37c205 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3654149 exception.address: 0xcdc205 registers.esp: 1899248 registers.edi: 4294940528 registers.eax: 13483678 registers.ebp: 4001509396 registers.edx: 515438273 registers.ebx: 4294948848 registers.esi: 13399072 registers.ecx: 528919985	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 2c ff ff ff 83 c4 04 31 7c 24 04 5f 89 3c exception.symbol: sarra+0x37c716 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3655446 exception.address: 0xcdc716 registers.esp: 1899252 registers.edi: 2179434839 registers.eax: 13486814 registers.ebp: 4001509396 registers.edx: 0 registers.ebx: 4294948848 registers.esi: 13399072 registers.ecx: 528919985	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 81 c3 93 d2 df 7f 50 89 e0 e9 17 ff ff ff 83 exception.symbol: sarra+0x3915b1 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3741105 exception.address: 0xcf15b1 registers.esp: 1899248 registers.edi: 13536924 registers.eax: 29522 registers.ebp: 4001509396 registers.edx: 844472 registers.ebx: 13571080 registers.esi: 13536888 registers.ecx: 1382678528	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb b9 c3 b6 31 7d 81 e9 93 7a 4d 33 55 68 01 b0 exception.symbol: sarra+0x39167b exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3741307 exception.address: 0xcf167b registers.esp: 1899252 registers.edi: 1567056 registers.eax: 0 registers.ebp: 4001509396 registers.edx: 844472 registers.ebx: 13573730 registers.esi: 13536888 registers.ecx: 1382678528	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 57 e9 f6 fe ff ff 51 68 13 2a fc 77 59 81 f1 exception.symbol: sarra+0x399600 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3773952 exception.address: 0xcf9600 registers.esp: 1899252 registers.edi: 0 registers.eax: 4294941820 registers.ebp: 4001509396 registers.edx: 13630561 registers.ebx: 13575078 registers.esi: 6012908 registers.ecx: 46393681	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 bc 01 00 00 be fe 16 8e 3f bd 78 20 4d fb exception.symbol: sarra+0x39ecfc exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3796220 exception.address: 0xcfecfc registers.esp: 1899252 registers.edi: 13606468 registers.eax: 28253 registers.ebp: 4001509396 registers.edx: 844472 registers.ebx: 13654289 registers.esi: 6012908 registers.ecx: 1382678528	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 68 5a 5f 2a 2c 89 2c 24 bd 43 8a d9 37 52 51 exception.symbol: sarra+0x39ebf9 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3795961 exception.address: 0xcfebf9 registers.esp: 1899252 registers.edi: 13606468 registers.eax: 0 registers.ebp: 4001509396 registers.edx: 844472 registers.ebx: 13628985 registers.esi: 6012908 registers.ecx: 322689	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 b9 fc eb df 73 56 exception.symbol: sarra+0x3a021e exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3801630 exception.address: 0xd0021e registers.esp: 1899248 registers.edi: 13606468 registers.eax: 25759 registers.ebp: 4001509396 registers.edx: 1499118687 registers.ebx: 13628985 registers.esi: 13629478 registers.ecx: 749767188	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 08 00 00 00 8b 2c 24 e9 a2 03 00 00 29 d2 exception.symbol: sarra+0x39ff35 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3800885 exception.address: 0xcfff35 registers.esp: 1899252 registers.edi: 13606468 registers.eax: 25759 registers.ebp: 4001509396 registers.edx: 1499118687 registers.ebx: 13628985 registers.esi: 13655237 registers.ecx: 749767188	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 ee 03 00 00 58 52 89 3c 24 5d e9 32 04 00 exception.symbol: sarra+0x39f8ed exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3799277 exception.address: 0xcff8ed registers.esp: 1899252 registers.edi: 607453008 registers.eax: 25759 registers.ebp: 4001509396 registers.edx: 4294944320 registers.ebx: 13628985 registers.esi: 13655237 registers.ecx: 749767188	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb e9 60 f5 ff ff 51 83 ec 04 e9 56 00 00 00 81 exception.symbol: sarra+0x3a7863 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3831907 exception.address: 0xd07863 registers.esp: 1899252 registers.edi: 607453008 registers.eax: 4294940876 registers.ebp: 4001509396 registers.edx: 107 registers.ebx: 82608977 registers.esi: 13688729 registers.ecx: 108	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 2d db 87 db 7f 57 bf e3 ef e5 19 81 c7 cd 49 exception.symbol: sarra+0x3b3ae4 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3881700 exception.address: 0xd13ae4 registers.esp: 1899248 registers.edi: 13464162 registers.eax: 13710725 registers.ebp: 4001509396 registers.edx: 395049983 registers.ebx: 16910336 registers.esi: 13464161 registers.ecx: 3738837507	1
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: fb 57 e9 ef 00 00 00 81 c6 61 36 cf 5f 59 81 c6 exception.symbol: sarra+0x3b3b19 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3881753 exception.address: 0xd13b19 registers.esp: 1899252 registers.edi: 13464162 registers.eax: 13736897 registers.ebp: 4001509396 registers.edx: 395049983 registers.ebx: 16910336 registers.esi: 13464161 registers.ecx: 3738837507	1

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (45 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:45 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

sarra.exe tried to sleep 249 seconds, actually delayed analysis time by 249 seconds

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 3, 2024, 7:46 a.m.	thread_identifier: 2604 thread_handle: 0x000001c0 process_identifier: 2600 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c4	1	1	0
CreateProcessInternalW May 3, 2024, 7:46 a.m.	thread_identifier: 2692 thread_handle: 0x000001cc process_identifier: 2688 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c8	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x000aa000', u'virtual_address': u'0x00001000', u'entropy': 7.9243793602844255, u'name': u' \\x00 ', u'virtual_size': u'0x00186000'}

entropy

7.92437936028

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001600', u'virtual_address': u'0x00187000', u'entropy': 7.4414717151667285, u'name': u'.rsrc', u'virtual_size': u'0x0000afa0'}

entropy

7.44147171517

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0019de00', u'virtual_address': u'0x00442000', u'entropy': 7.910486621039187, u'name': u'mmjalsks', u'virtual_size': u'0x0019e000'}

entropy

7.91048662104

description

A section with a high entropy has been found

entropy

0.995534765044

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (2 events)

host	167.71.205.181
host	147.45.47.93

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (48 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 3, 2024, 7:45 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:45 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:45 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:45 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:45 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:45 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:45 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:45 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:45 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:46 a.m.	class_name: pediy06 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 3, 2024, 7:45 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 58 09 00 00 57 bf 00 exception.symbol: sarra+0x32fa23 exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3340835 exception.address: 0xc8fa23 registers.esp: 1899284 registers.edi: 6106855 registers.eax: 1447909480 registers.ebp: 4001509396 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 13154586 registers.ecx: 20	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.RisePro.1p!c
tehtris	Generic.Malware
ALYac	Gen:Variant.Zusy.545972
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
BitDefender	Gen:Variant.Zusy.545972
K7GW	Trojan ( 005376ae1 )
K7AntiVirus	Trojan ( 005376ae1 )
Arcabit	Trojan.Zusy.D854B4
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
Avast	Win32:PWSX-gen [Trj]
Kaspersky	VHO:Trojan-PSW.Win32.RisePro.gen
Alibaba	Trojan:Win32/RisePro.de078f97
MicroWorld-eScan	Gen:Variant.Zusy.545972
Rising	Stealer.RisePro!8.176E1 (LESS:bWQ1OpEIxTYCmBSHt7RMJyn71bw)
Emsisoft	Gen:Variant.Zusy.545972 (B)
BitDefenderTheta	Gen:NN.ZexaF.36804.tE0aaexndDek
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.9108c53602981487
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Win32.Themida
Google	Detected
Kingsoft	malware.kb.a.847
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/RisePro.RP!MTB
ZoneAlarm	VHO:Trojan-PSW.Win32.RisePro.gen
GData	Gen:Variant.Zusy.545972
Varist	W32/RisePro.H.gen!Eldorado
AhnLab-V3	Trojan/Win.RisePro.R646871
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack.Themida
Panda	Trj/Genetic.gen
Zoner	Probably Heur.ExeHeaderL
MAX	malware (ai score=89)
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/RisePro.RX8PHU

sarra.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All