Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 31, 2024, 10:03 a.m.	May 31, 2024, 10:05 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`be49ac418959705d20f029634d85040f`
SHA256	`08d34452a1fa343f4047a98ec0e037f7de798b75a8740b3385f5742d54396e8e`
CRC32	`212967A2`
ssdeep	`49152:2kmKhyq24kI3qebVay+dsHKhmFFr/QfT+pMCSTq66SQdS:2kmKEqlkAbkynqhmFr/2+1STq6ag`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

sarra.exe "C:\Users\test22\AppData\Local\Temp\sarra.exe"
2576
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2784
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2868

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.26.4.15	Active	Moloch
147.45.47.126	Active	Moloch
164.124.101.2	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.47.126:58709 -> 192.168.56.101:49165	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.101:49165 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 147.45.47.126:58709 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49168 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 31, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 31, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 31, 2024, 10:01 a.m.			0	0
IsDebuggerPresent May 31, 2024, 10:01 a.m.			0	0
IsDebuggerPresent May 31, 2024, 10:01 a.m.			0	0
IsDebuggerPresent May 31, 2024, 10:01 a.m.			0	0
IsDebuggerPresent May 31, 2024, 10:01 a.m.			0	0
IsDebuggerPresent May 31, 2024, 10:01 a.m.			0	0
IsDebuggerPresent May 31, 2024, 10:01 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	snsarbsa
section	xnsewtty
section	.taggant

One or more processes crashed (50 out of 105 events)

Time & API	Arguments	Status
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: sarra+0x43a0b9 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 4432057 exception.address: 0xf7a0b9 registers.esp: 3735288 registers.edi: 0 registers.eax: 1 registers.ebp: 3735304 registers.edx: 17891328 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 81 ef a1 5c a7 30 e9 ce 06 00 00 52 89 e2 81 exception.symbol: sarra+0x18eea3 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1633955 exception.address: 0xcceea3 registers.esp: 3735252 registers.edi: 13430218 registers.eax: 28904 registers.ebp: 4003450900 registers.edx: 11796480 registers.ebx: 7424 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 d0 72 ff 7f e9 0e 00 00 00 81 f5 exception.symbol: sarra+0x18f2ed exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1635053 exception.address: 0xccf2ed registers.esp: 3735256 registers.edi: 13459122 registers.eax: 28904 registers.ebp: 4003450900 registers.edx: 11796480 registers.ebx: 7424 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 82 ce e7 3f 52 50 89 1c 24 68 f2 exception.symbol: sarra+0x18f755 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1636181 exception.address: 0xccf755 registers.esp: 3735256 registers.edi: 13459122 registers.eax: 28904 registers.ebp: 4003450900 registers.edx: 11796480 registers.ebx: 4294941604 registers.esi: 241897 registers.ecx: 1969094656	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 0b 00 00 00 81 cb f4 9a f7 3e e9 03 02 00 exception.symbol: sarra+0x190a42 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1641026 exception.address: 0xcd0a42 registers.esp: 3735252 registers.edi: 13459122 registers.eax: 13434880 registers.ebp: 4003450900 registers.edx: 1107195506 registers.ebx: 4294941604 registers.esi: 241897 registers.ecx: 1629973122	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb bf bc 14 ff 18 53 57 bf ac bb 7f 2d 89 fb 5f exception.symbol: sarra+0x190353 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1639251 exception.address: 0xcd0353 registers.esp: 3735256 registers.edi: 13459122 registers.eax: 13461503 registers.ebp: 4003450900 registers.edx: 1107195506 registers.ebx: 4294941604 registers.esi: 241897 registers.ecx: 1629973122	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 50 68 91 4a ff 3f 58 31 d8 e9 04 fd ff ff 87 exception.symbol: sarra+0x1905b1 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 1639857 exception.address: 0xcd05b1 registers.esp: 3735256 registers.edi: 4294943860 registers.eax: 13461503 registers.ebp: 4003450900 registers.edx: 1107195506 registers.ebx: 4294941604 registers.esi: 241897 registers.ecx: 1259	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 31 db e9 be 03 00 00 89 0c 24 e9 64 01 00 00 exception.symbol: sarra+0x30eb37 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3205943 exception.address: 0xe4eb37 registers.esp: 3735256 registers.edi: 13470432 registers.eax: 32455 registers.ebp: 4003450900 registers.edx: 15033089 registers.ebx: 50135805 registers.esi: 14984069 registers.ecx: 765	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 57 89 14 24 56 89 0c 24 b9 f1 38 8e 0c 89 4c exception.symbol: sarra+0x30edfc exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3206652 exception.address: 0xe4edfc registers.esp: 3735256 registers.edi: 13470432 registers.eax: 32455 registers.ebp: 4003450900 registers.edx: 15033089 registers.ebx: 4294937668 registers.esi: 710633 registers.ecx: 765	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 68 41 53 00 59 89 0c 24 55 bd a5 1b 3e 77 68 exception.symbol: sarra+0x310e34 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3214900 exception.address: 0xe50e34 registers.esp: 3735252 registers.edi: 96 registers.eax: 26803 registers.ebp: 4003450900 registers.edx: 0 registers.ebx: 15006543 registers.esi: 15010966 registers.ecx: 2192707151	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 68 8b 2d 75 71 89 0c 24 b9 9e 17 00 00 55 c7 exception.symbol: sarra+0x3115fb exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3216891 exception.address: 0xe515fb registers.esp: 3735256 registers.edi: 96 registers.eax: 26803 registers.ebp: 4003450900 registers.edx: 0 registers.ebx: 15006543 registers.esi: 15037769 registers.ecx: 2192707151	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 d7 ff ff ff 56 ff 74 24 04 e9 30 00 00 00 exception.symbol: sarra+0x310e94 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3214996 exception.address: 0xe50e94 registers.esp: 3735256 registers.edi: 96 registers.eax: 26803 registers.ebp: 4003450900 registers.edx: 7344488 registers.ebx: 0 registers.esi: 15013585 registers.ecx: 2192707151	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 2d 11 27 fc 5f e9 34 01 00 00 35 4d c4 cf 7d exception.symbol: sarra+0x3120fd exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3219709 exception.address: 0xe520fd registers.esp: 3735252 registers.edi: 96 registers.eax: 15014051 registers.ebp: 4003450900 registers.edx: 340550429 registers.ebx: 0 registers.esi: 15013585 registers.ecx: 443846663	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb ba ff 27 d3 7a e9 8b fc ff ff 5d 56 89 ee 89 exception.symbol: sarra+0x3121e4 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3219940 exception.address: 0xe521e4 registers.esp: 3735256 registers.edi: 96 registers.eax: 15042740 registers.ebp: 4003450900 registers.edx: 340550429 registers.ebx: 0 registers.esi: 15013585 registers.ecx: 443846663	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 56 e9 fe 01 00 00 87 1c 24 5c 81 f1 84 35 06 exception.symbol: sarra+0x311b05 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3218181 exception.address: 0xe51b05 registers.esp: 3735256 registers.edi: 96 registers.eax: 15017020 registers.ebp: 4003450900 registers.edx: 0 registers.ebx: 134889 registers.esi: 15013585 registers.ecx: 443846663	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 14 exception.symbol: sarra+0x31a87f exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3254399 exception.address: 0xe5a87f registers.esp: 3735248 registers.edi: 4730383 registers.eax: 1447909480 registers.ebp: 4003450900 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 15046578 registers.ecx: 20	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: sarra+0x31e5ac exception.address: 0xe5e5ac exception.module: sarra.exe exception.exception_code: 0xc000001d exception.offset: 3270060 registers.esp: 3735248 registers.edi: 4730383 registers.eax: 1 registers.ebp: 4003450900 registers.edx: 22104 registers.ebx: 0 registers.esi: 15046578 registers.ecx: 20	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 d7 2c 2d 12 01 exception.symbol: sarra+0x31ce53 exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3264083 exception.address: 0xe5ce53 registers.esp: 3735248 registers.edi: 4730383 registers.eax: 1447909480 registers.ebp: 4003450900 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 15046578 registers.ecx: 10	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 53 54 8b 1c 24 81 c4 04 00 00 00 81 c3 04 00 exception.symbol: sarra+0x322591 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3286417 exception.address: 0xe62591 registers.esp: 3735256 registers.edi: 4730383 registers.eax: 31661 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 15112778 registers.esi: 10 registers.ecx: 2144600064	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb bb fd b2 3b 5f c1 e3 02 55 89 0c 24 b9 0a f3 exception.symbol: sarra+0x322936 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3287350 exception.address: 0xe62936 registers.esp: 3735256 registers.edi: 4730383 registers.eax: 0 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 15083898 registers.esi: 6379 registers.ecx: 2144600064	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 53 e8 03 00 00 00 20 5b c3 5b exception.symbol: sarra+0x322ec2 exception.instruction: int 1 exception.module: sarra.exe exception.exception_code: 0xc0000005 exception.offset: 3288770 exception.address: 0xe62ec2 registers.esp: 3735216 registers.edi: 0 registers.eax: 3735216 registers.ebp: 4003450900 registers.edx: 15085089 registers.ebx: 15085549 registers.esi: 1351143138 registers.ecx: 15085089	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 d5 01 00 00 57 89 e7 81 c7 04 00 00 00 83 exception.symbol: sarra+0x331d9e exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3349918 exception.address: 0xe71d9e registers.esp: 3735256 registers.edi: 13426150 registers.eax: 15175275 registers.ebp: 4003450900 registers.edx: 4294939348 registers.ebx: 7261674 registers.esi: 80171350 registers.ecx: 0	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 89 e6 81 c6 04 00 exception.symbol: sarra+0x3327f8 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3352568 exception.address: 0xe727f8 registers.esp: 3735256 registers.edi: 13426150 registers.eax: 25778 registers.ebp: 4003450900 registers.edx: 15150888 registers.ebx: 7261674 registers.esi: 262633 registers.ecx: 0	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 27 00 00 00 54 e9 69 f8 ff ff 83 ec 04 e9 exception.symbol: sarra+0x33720d exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3371533 exception.address: 0xe7720d registers.esp: 3735248 registers.edi: 13426150 registers.eax: 28229 registers.ebp: 4003450900 registers.edx: 1791371350 registers.ebx: 7261674 registers.esi: 15194208 registers.ecx: 1035399728	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 50 c7 04 24 82 fe 4c 09 89 exception.symbol: sarra+0x3372ac exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3371692 exception.address: 0xe772ac registers.esp: 3735248 registers.edi: 13426150 registers.eax: 28229 registers.ebp: 4003450900 registers.edx: 1791371350 registers.ebx: 921833 registers.esi: 15169108 registers.ecx: 0	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 41 b1 60 64 e9 98 05 00 00 83 c4 exception.symbol: sarra+0x33919b exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3379611 exception.address: 0xe7919b registers.esp: 3735248 registers.edi: 13426150 registers.eax: 15179263 registers.ebp: 4003450900 registers.edx: 82608465 registers.ebx: 601454653 registers.esi: 15169108 registers.ecx: 0	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 55 e9 a0 03 00 00 81 c4 04 00 00 00 53 e9 a9 exception.symbol: sarra+0x3582f7 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3506935 exception.address: 0xe982f7 registers.esp: 3735216 registers.edi: 1969687616 registers.eax: 32678 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 1263512040 registers.esi: 15334306 registers.ecx: 2144600064	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 68 a1 98 88 30 e9 d5 04 00 00 89 34 24 89 e6 exception.symbol: sarra+0x357de9 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3505641 exception.address: 0xe97de9 registers.esp: 3735216 registers.edi: 1969687616 registers.eax: 32678 registers.ebp: 4003450900 registers.edx: 0 registers.ebx: 1263512040 registers.esi: 15304786 registers.ecx: 2298801283	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 73 07 00 00 5d 81 f5 38 2c 80 4e 89 ef 5d exception.symbol: sarra+0x35af0f exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3518223 exception.address: 0xe9af0f registers.esp: 3735212 registers.edi: 15312594 registers.eax: 15314492 registers.ebp: 4003450900 registers.edx: 1968967935 registers.ebx: 2616843647 registers.esi: 15311950 registers.ecx: 0	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 c7 04 24 78 2a ef 7f c1 24 exception.symbol: sarra+0x35b611 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3520017 exception.address: 0xe9b611 registers.esp: 3735216 registers.edi: 15312594 registers.eax: 15317454 registers.ebp: 4003450900 registers.edx: 10545490 registers.ebx: 2616843647 registers.esi: 0 registers.ecx: 0	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 b3 01 a0 05 89 2c 24 c7 04 24 f5 exception.symbol: sarra+0x35c3d4 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3523540 exception.address: 0xe9c3d4 registers.esp: 3735216 registers.edi: 15312594 registers.eax: 29928 registers.ebp: 4003450900 registers.edx: 10545490 registers.ebx: 2616843647 registers.esi: 15347821 registers.ecx: 978607964	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 03 0a 00 00 31 4c 24 04 e9 61 03 00 00 81 exception.symbol: sarra+0x35bcea exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3521770 exception.address: 0xe9bcea registers.esp: 3735216 registers.edi: 15312594 registers.eax: 82608982 registers.ebp: 4003450900 registers.edx: 10545490 registers.ebx: 2616843647 registers.esi: 15347821 registers.ecx: 4294940420	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 52 81 ec 04 00 00 00 89 2c exception.symbol: sarra+0x35d0a0 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3526816 exception.address: 0xe9d0a0 registers.esp: 3735212 registers.edi: 15312594 registers.eax: 25651 registers.ebp: 4003450900 registers.edx: 881150455 registers.ebx: 2616843647 registers.esi: 15347821 registers.ecx: 15321322	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 50 e9 ef 03 00 00 81 c7 0e 2e f6 6f c1 ef 01 exception.symbol: sarra+0x35ce9a exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3526298 exception.address: 0xe9ce9a registers.esp: 3735216 registers.edi: 4294944344 registers.eax: 25651 registers.ebp: 4003450900 registers.edx: 881150455 registers.ebx: 2616843647 registers.esi: 746823053 registers.ecx: 15346973	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 31 c9 e9 fd f6 ff ff 01 df 8b 1c 24 83 c4 04 exception.symbol: sarra+0x3617e2 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3545058 exception.address: 0xea17e2 registers.esp: 3735216 registers.edi: 4294944344 registers.eax: 26106 registers.ebp: 4003450900 registers.edx: 15365272 registers.ebx: 65786 registers.esi: 746823053 registers.ecx: 1971716238	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 53 89 e3 e9 0e 05 00 00 5f e9 88 05 00 00 81 exception.symbol: sarra+0x360f45 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3542853 exception.address: 0xea0f45 registers.esp: 3735216 registers.edi: 4294944344 registers.eax: 26106 registers.ebp: 4003450900 registers.edx: 15365272 registers.ebx: 65786 registers.esi: 24811 registers.ecx: 4294943632	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 4d 00 00 00 8f 04 24 e9 05 f8 ff ff 81 e1 exception.symbol: sarra+0x36406a exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3555434 exception.address: 0xea406a registers.esp: 3735216 registers.edi: 4294944344 registers.eax: 15352412 registers.ebp: 4003450900 registers.edx: 3939837675 registers.ebx: 171201803 registers.esi: 0 registers.ecx: 4294943632	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 57 83 ec 04 89 3c 24 c7 04 24 78 3b fb 7d f7 exception.symbol: sarra+0x365329 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3560233 exception.address: 0xea5329 registers.esp: 3735216 registers.edi: 15353457 registers.eax: 2152709461 registers.ebp: 4003450900 registers.edx: 3939890726 registers.ebx: 0 registers.esi: 15356981 registers.ecx: 0	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 b4 b4 5d 20 89 3c 24 bf 33 78 79 exception.symbol: sarra+0x366196 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3563926 exception.address: 0xea6196 registers.esp: 3735212 registers.edi: 15353457 registers.eax: 32847 registers.ebp: 4003450900 registers.edx: 3939890726 registers.ebx: 0 registers.esi: 15357404 registers.ecx: 15595261	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 10 01 00 00 52 e9 01 fe ff ff 05 b1 97 1f exception.symbol: sarra+0x365b0d exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3562253 exception.address: 0xea5b0d registers.esp: 3735216 registers.edi: 15353457 registers.eax: 32847 registers.ebp: 4003450900 registers.edx: 3939890726 registers.ebx: 0 registers.esi: 15390251 registers.ecx: 15595261	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 56 e9 7e fa ff ff 81 c4 04 00 00 00 52 89 f2 exception.symbol: sarra+0x366103 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3563779 exception.address: 0xea6103 registers.esp: 3735216 registers.edi: 15353457 registers.eax: 4294937596 registers.ebp: 4003450900 registers.edx: 157417 registers.ebx: 0 registers.esi: 15390251 registers.ecx: 15595261	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 30 00 00 00 81 c4 04 00 00 00 52 89 e2 81 exception.symbol: sarra+0x36ebca exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3599306 exception.address: 0xeaebca registers.esp: 3735212 registers.edi: 15353457 registers.eax: 27392 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 15395558 registers.esi: 15364541 registers.ecx: 2144600064	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 c7 04 24 ed eb fd exception.symbol: sarra+0x36f19e exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3600798 exception.address: 0xeaf19e registers.esp: 3735216 registers.edi: 15353457 registers.eax: 27392 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 15422950 registers.esi: 15364541 registers.ecx: 2144600064	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 57 e9 70 01 00 00 52 89 3c 24 68 1b 96 ef 34 exception.symbol: sarra+0x36ebb5 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3599285 exception.address: 0xeaebb5 registers.esp: 3735216 registers.edi: 15353457 registers.eax: 322689 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 15398630 registers.esi: 0 registers.ecx: 2144600064	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 e9 5c 02 00 00 50 b8 fb 95 bf 7f exception.symbol: sarra+0x36f9b0 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3602864 exception.address: 0xeaf9b0 registers.esp: 3735216 registers.edi: 15353457 registers.eax: 15402247 registers.ebp: 4003450900 registers.edx: 607422800 registers.ebx: 0 registers.esi: 0 registers.ecx: 89632577	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 ce 01 00 00 87 3c 24 e9 61 03 00 00 81 04 exception.symbol: sarra+0x388a8d exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3705485 exception.address: 0xec8a8d registers.esp: 3735216 registers.edi: 15490417 registers.eax: 26818 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 15456681 registers.esi: 15528669 registers.ecx: 2144600064	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 c9 29 c5 5f e9 f0 00 00 00 09 5c exception.symbol: sarra+0x3890a6 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3707046 exception.address: 0xec90a6 registers.esp: 3735216 registers.edi: 15490417 registers.eax: 4294943000 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 15456681 registers.esi: 15528669 registers.ecx: 3909414019	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 56 be 8b 73 cd 7d 29 f1 5e 50 b8 46 de cb 5e exception.symbol: sarra+0x38cb4f exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3722063 exception.address: 0xeccb4f registers.esp: 3735212 registers.edi: 15490417 registers.eax: 29031 registers.ebp: 4003450900 registers.edx: 2130566132 registers.ebx: 325109934 registers.esi: 15528669 registers.ecx: 15516942	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb e9 cc fe ff ff 81 c6 04 00 00 00 e9 00 00 00 exception.symbol: sarra+0x38cc48 exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3722312 exception.address: 0xeccc48 registers.esp: 3735216 registers.edi: 1651280488 registers.eax: 29031 registers.ebp: 4003450900 registers.edx: 4294940904 registers.ebx: 325109934 registers.esi: 15528669 registers.ecx: 15545973	1
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 83 e9 04 87 0c 24 exception.symbol: sarra+0x39198b exception.instruction: sti exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3742091 exception.address: 0xed198b registers.esp: 3735216 registers.edi: 2179107154 registers.eax: 31807 registers.ebp: 4003450900 registers.edx: 4294938816 registers.ebx: 922344086 registers.esi: 3808458458 registers.ecx: 15567606	1

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (43 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 31, 2024, 10:01 a.m.	thread_identifier: 2788 thread_handle: 0x000001bc process_identifier: 2784 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c0	1	1	0
CreateProcessInternalW May 31, 2024, 10:01 a.m.	thread_identifier: 2872 thread_handle: 0x000001c8 process_identifier: 2868 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c4	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x000ab400', u'virtual_address': u'0x00001000', u'entropy': 7.924871179302655, u'name': u' \\x00 ', u'virtual_size': u'0x00189000'}

entropy

7.9248711793

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001400', u'virtual_address': u'0x0018a000', u'entropy': 7.584585521331638, u'name': u'.rsrc', u'virtual_size': u'0x00001638'}

entropy

7.58458552133

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00195000', u'virtual_address': u'0x0043a000', u'entropy': 7.954383444691058, u'name': u'snsarbsa', u'virtual_size': u'0x00195000'}

entropy

7.95438344469

description

A section with a high entropy has been found

entropy

0.995260663507

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (1 event)

host

147.45.47.126

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (21 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 31, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 31, 2024, 10:01 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 14 exception.symbol: sarra+0x31a87f exception.instruction: in eax, dx exception.module: sarra.exe exception.exception_code: 0xc0000096 exception.offset: 3254399 exception.address: 0xe5a87f registers.esp: 3735248 registers.edi: 4730383 registers.eax: 1447909480 registers.ebp: 4003450900 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 15046578 registers.ecx: 20	1	0	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.RisePro.vc
ALYac	Gen:Trojan.Heur.rE0auyZH1Gck
Cylance	Unsafe
VIPRE	Gen:Trojan.Heur.rE0auyZH1Gck
K7AntiVirus	Trojan ( 005376ae1 )
BitDefender	Gen:Trojan.Heur.rE0auyZH1Gck
K7GW	Trojan ( 005376ae1 )
Cybereason	malicious.189597
Arcabit	Trojan.Heur.rE0auyZH1Gck
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Risepro-10030647-0
Kaspersky	VHO:Trojan-PSW.Win32.RisePro.gen
MicroWorld-eScan	Gen:Trojan.Heur.rE0auyZH1Gck
Emsisoft	Gen:Trojan.Heur.rE0auyZH1Gck (B)
DrWeb	Trojan.PWS.RisePro.156
McAfeeD	Real Protect-LS!BE49AC418959
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.be49ac418959705d
Sophos	Mal/RisePro-A
Google	Detected
MAX	malware (ai score=82)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/RisePro.RP!MTB
ZoneAlarm	VHO:Trojan-PSW.Win32.RisePro.gen
GData	Gen:Trojan.Heur.rE0auyZH1Gck
AhnLab-V3	Trojan/Win.RisePro.R649039
BitDefenderTheta	AI:Packer.56A810C51C
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4196262252
Panda	Trj/Genetic.gen
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious PE
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)

sarra.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All