Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 9, 2021, 3:21 p.m.	March 9, 2021, 3:24 p.m.

Size	22.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`f60b8a0c8976d51ad5f202431b968920`
SHA256	`cefaabc3ea606b66a4efcf4c91acc94725c34f0eac566991c7684e6be26bc0fa`
CRC32	`C68527B3`
ssdeep	`393216:FBEfP9Hi5C/XnPxvcxJ6lH4gnT2UNQbo6P7SkL34X8geQgKgZ2Lr9fXB8DDgM8F4:7EfP9HBXP9wUHvy306P1LIX8hQzBLr9q`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasRichSignature - Rich Signature Check escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero

sinqqhd.exe "C:\Users\test22\AppData\Local\Temp\sinqqhd.exe"
4748
- Pigeon_50.exe "C:\Users\test22\AppData\Roaming\Knee\Pigeon_50.exe"
  4892
  - RealtekSb.exe "C:\Users\test22\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"
    6892
- Boat_63.exe "C:\Users\test22\AppData\Roaming\Software\Boat_63.exe"
  7400
  - RealtekSb.exe "C:\Users\test22\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"
    9132
- Burden_17.exe "C:\Users\test22\AppData\Roaming\Software\Burden_17.exe"
  6096
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
telete.in	A 195.201.225.248	195.201.225.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
195.201.225.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49814 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49814 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	14:8d:58:21:b9:91:38:b0:2c:1f:8b:a9:83:d2:f9:89:84:11:99:e2

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 9, 2021, 3:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 3:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 3:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 3:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 3:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 3:21 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 9, 2021, 3:21 p.m.			0	0
IsDebuggerPresent March 9, 2021, 3:21 p.m.			0	0
IsDebuggerPresent March 9, 2021, 3:21 p.m.			0	0
IsDebuggerPresent March 9, 2021, 3:21 p.m.			0	0
IsDebuggerPresent March 9, 2021, 3:21 p.m.			0	0
IsDebuggerPresent March 9, 2021, 3:21 p.m.			0	0
IsDebuggerPresent March 9, 2021, 3:21 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 9, 2021, 3:21 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (50 out of 591 events)

Time & API	Arguments	Status
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: pigeon_50+0xacd0b9 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 11325625 exception.address: 0x135d0b9 registers.esp: 3865324 registers.edi: 0 registers.eax: 1 registers.ebp: 3865340 registers.edx: 24399872 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 50 e9 76 03 00 00 50 b8 11 3b 6e 6d 35 16 bd exception.symbol: pigeon_50+0x597df0 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 5864944 exception.address: 0xe27df0 registers.esp: 3865288 registers.edi: 1970405608 registers.eax: 25975 registers.ebp: 3955974164 registers.edx: 8978432 registers.ebx: 0 registers.esi: 14843218 registers.ecx: 1970601984	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 68 f0 32 02 37 89 14 24 89 34 24 54 e9 29 07 exception.symbol: pigeon_50+0x597d91 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 5864849 exception.address: 0xe27d91 registers.esp: 3865292 registers.edi: 237801 registers.eax: 25975 registers.ebp: 3955974164 registers.edx: 4294944132 registers.ebx: 0 registers.esi: 14869193 registers.ecx: 1970601984	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 56 89 0c 24 c7 04 24 13 d3 ff 78 f7 1c 24 81 exception.symbol: pigeon_50+0x5998eb exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 5871851 exception.address: 0xe298eb registers.esp: 3865288 registers.edi: 14847400 registers.eax: 27531 registers.ebp: 3955974164 registers.edx: 626345214 registers.ebx: 0 registers.esi: 14869193 registers.ecx: 1970601984	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 52 68 b0 2b cf 27 e9 ed f6 ff ff 58 87 1c 24 exception.symbol: pigeon_50+0x5998b1 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 5871793 exception.address: 0xe298b1 registers.esp: 3865292 registers.edi: 14850551 registers.eax: 27531 registers.ebp: 3955974164 registers.edx: 1259 registers.ebx: 0 registers.esi: 14869193 registers.ecx: 1970601984	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 a7 1d d0 5e 89 34 24 be 97 51 3f exception.symbol: pigeon_50+0x98b562 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10007906 exception.address: 0x121b562 registers.esp: 3865292 registers.edi: 18501153 registers.eax: 19016146 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 60359577 registers.esi: 18965704 registers.ecx: 921	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 53 89 e3 81 c3 04 00 00 00 exception.symbol: pigeon_50+0x98c0b4 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10010804 exception.address: 0x121c0b4 registers.esp: 3865292 registers.edi: 18501153 registers.eax: 19016146 registers.ebp: 3955974164 registers.edx: 4294940672 registers.ebx: 119273 registers.esi: 18965704 registers.ecx: 921	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 2d 6a 02 7e 1b 68 00 71 42 38 e9 e4 00 00 00 exception.symbol: pigeon_50+0x98d965 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10017125 exception.address: 0x121d965 registers.esp: 3865288 registers.edi: 18501153 registers.eax: 18993239 registers.ebp: 3955974164 registers.edx: 4294940672 registers.ebx: 119273 registers.esi: 18965704 registers.ecx: 292076721	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 55 e9 00 00 00 00 89 e5 56 be 3f 01 6a 77 c1 exception.symbol: pigeon_50+0x98db0c exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10017548 exception.address: 0x121db0c registers.esp: 3865292 registers.edi: 18501153 registers.eax: 19021593 registers.ebp: 3955974164 registers.edx: 4294940672 registers.ebx: 119273 registers.esi: 18965704 registers.ecx: 292076721	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb b9 de 18 71 3d 81 c9 72 ca ee 7a 52 51 b9 8b exception.symbol: pigeon_50+0x98d1e7 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10015207 exception.address: 0x121d1e7 registers.esp: 3865292 registers.edi: 18501153 registers.eax: 18996137 registers.ebp: 3955974164 registers.edx: 4294940672 registers.ebx: 50665 registers.esi: 18965704 registers.ecx: 0	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 53 68 46 56 51 65 89 14 24 c7 04 24 9d 6b f9 exception.symbol: pigeon_50+0x99194c exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10033484 exception.address: 0x122194c registers.esp: 3865292 registers.edi: 18999851 registers.eax: 30417 registers.ebp: 3955974164 registers.edx: 0 registers.ebx: 19012108 registers.esi: 134889 registers.ecx: 18998126	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 e9 42 50 00 00 c7 04 exception.symbol: pigeon_50+0x997a57 exception.instruction: in eax, dx exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10058327 exception.address: 0x1227a57 registers.esp: 3865284 registers.edi: 6369805 registers.eax: 1447909480 registers.ebp: 3955974164 registers.edx: 22104 registers.ebx: 1970540725 registers.esi: 19033551 registers.ecx: 20	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: pigeon_50+0x997883 exception.address: 0x1227883 exception.module: Pigeon_50.exe exception.exception_code: 0xc000001d exception.offset: 10057859 registers.esp: 3865284 registers.edi: 6369805 registers.eax: 1 registers.ebp: 3955974164 registers.edx: 22104 registers.ebx: 0 registers.esi: 19033551 registers.ecx: 20	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 82 28 17 15 01 exception.symbol: pigeon_50+0x99a47c exception.instruction: in eax, dx exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10069116 exception.address: 0x122a47c registers.esp: 3865284 registers.edi: 6369805 registers.eax: 1447909480 registers.ebp: 3955974164 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19033551 registers.ecx: 10	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 81 e9 77 b8 fb 35 03 0c 24 50 e9 e0 01 00 00 exception.symbol: pigeon_50+0x99ff7e exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10092414 exception.address: 0x122ff7e registers.esp: 3865288 registers.edi: 6369805 registers.eax: 25180 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 46669062 registers.esi: 10 registers.ecx: 19069554	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 51 b9 b6 bf 57 7d 81 e1 b9 exception.symbol: pigeon_50+0x99fd97 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10091927 exception.address: 0x122fd97 registers.esp: 3865292 registers.edi: 1442867808 registers.eax: 25180 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 46669062 registers.esi: 4294944748 registers.ecx: 19094734	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 66 8b f3 6a 00 51 e8 03 00 00 00 20 exception.symbol: pigeon_50+0x9a06e9 exception.instruction: int 1 exception.module: Pigeon_50.exe exception.exception_code: 0xc0000005 exception.offset: 10094313 exception.address: 0x12306e9 registers.esp: 3865252 registers.edi: 0 registers.eax: 3865252 registers.ebp: 3955974164 registers.edx: 19073011 registers.ebx: 19073011 registers.esi: 36479 registers.ecx: 925887985	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 53 89 2c 24 89 0c 24 c7 04 24 ba 6f ef 77 81 exception.symbol: pigeon_50+0x9a8389 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10126217 exception.address: 0x1238389 registers.esp: 3865292 registers.edi: 4294943840 registers.eax: 26503 registers.ebp: 3955974164 registers.edx: 654654 registers.ebx: 19130235 registers.esi: 1554 registers.ecx: 3395381333	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 57 bf a2 1b eb 4b 53 bb 21 23 exception.symbol: pigeon_50+0x9b6e84 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10186372 exception.address: 0x1246e84 registers.esp: 3865280 registers.edi: 14838150 registers.eax: 26639 registers.ebp: 3955974164 registers.edx: 6 registers.ebx: 46669296 registers.esi: 1970476048 registers.ecx: 19162442	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 29 c0 ff 34 08 e9 08 fc ff ff 31 0c 24 c1 24 exception.symbol: pigeon_50+0x9b6b09 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10185481 exception.address: 0x1246b09 registers.esp: 3865284 registers.edi: 14838150 registers.eax: 26639 registers.ebp: 3955974164 registers.edx: 6 registers.ebx: 46669296 registers.esi: 1970476048 registers.ecx: 19189081	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 bd f4 fb a5 3f 81 exception.symbol: pigeon_50+0x9b65fe exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10184190 exception.address: 0x12465fe registers.esp: 3865284 registers.edi: 14838150 registers.eax: 4294943592 registers.ebp: 3955974164 registers.edx: 6 registers.ebx: 46669296 registers.esi: 607947093 registers.ecx: 19189081	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 53 e9 82 04 00 00 05 04 05 d3 c0 68 09 a7 40 exception.symbol: pigeon_50+0x9ba559 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10200409 exception.address: 0x124a559 registers.esp: 3865280 registers.edi: 19177460 registers.eax: 32143 registers.ebp: 3955974164 registers.edx: 6 registers.ebx: 16777792 registers.esi: 637760785 registers.ecx: 19169856	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 8e 01 00 00 89 f2 e9 04 exception.symbol: pigeon_50+0x9ba4fa exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10200314 exception.address: 0x124a4fa registers.esp: 3865284 registers.edi: 19180851 registers.eax: 32143 registers.ebp: 3955974164 registers.edx: 6 registers.ebx: 0 registers.esi: 21555537 registers.ecx: 19169856	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 f2 5e cb 68 e9 0a 00 00 00 ba 3b exception.symbol: pigeon_50+0x9c053d exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10224957 exception.address: 0x125053d registers.esp: 3865284 registers.edi: 19180851 registers.eax: 19226912 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 124706304 registers.esi: 21555537 registers.ecx: 2572222464	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb ba 00 d3 33 6a e9 49 03 00 00 81 c1 c2 47 5a exception.symbol: pigeon_50+0x9bff2d exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10223405 exception.address: 0x124ff2d registers.esp: 3865284 registers.edi: 0 registers.eax: 19203852 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 30185 registers.esi: 21555537 registers.ecx: 2572222464	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 53 bb 04 95 7b 5f 51 b9 6d fa c9 7e 55 c7 04 exception.symbol: pigeon_50+0x9ca0d7 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10264791 exception.address: 0x125a0d7 registers.esp: 3865280 registers.edi: 1 registers.eax: 27563 registers.ebp: 3955974164 registers.edx: 118 registers.ebx: 19231547 registers.esi: 19241842 registers.ecx: 29499	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb e9 e6 fd ff ff 8b 24 24 ff 36 ff 34 24 8b 0c exception.symbol: pigeon_50+0x9ca52f exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10265903 exception.address: 0x125a52f registers.esp: 3865284 registers.edi: 0 registers.eax: 27563 registers.ebp: 3955974164 registers.edx: 118 registers.ebx: 19231547 registers.esi: 19244969 registers.ecx: 116969	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 81 c6 1d 0f ed 76 e9 bc 02 00 00 33 04 24 31 exception.symbol: pigeon_50+0x9df181 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10350977 exception.address: 0x126f181 registers.esp: 3865248 registers.edi: 19327653 registers.eax: 29848 registers.ebp: 3955974164 registers.edx: 14839949 registers.ebx: 255783405 registers.esi: 19328156 registers.ecx: 0	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb e9 19 fa ff ff 53 bb d9 58 9b 7b 4b c1 eb 04 exception.symbol: pigeon_50+0x9df4b1 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10351793 exception.address: 0x126f4b1 registers.esp: 3865252 registers.edi: 19327653 registers.eax: 322689 registers.ebp: 3955974164 registers.edx: 14839949 registers.ebx: 255783405 registers.esi: 19358004 registers.ecx: 4294940272	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 81 ea 58 cb d5 6c e9 83 fa ff ff 81 ea e1 d7 exception.symbol: pigeon_50+0x9e22b0 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10363568 exception.address: 0x12722b0 registers.esp: 3865248 registers.edi: 3941436081 registers.eax: 30399 registers.ebp: 3955974164 registers.edx: 19339047 registers.ebx: 34105857 registers.esi: 38685657 registers.ecx: 34175505	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 53 bb 94 75 3f 7d c1 eb 03 c1 eb 01 e9 39 02 exception.symbol: pigeon_50+0x9e1b2e exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10361646 exception.address: 0x1271b2e registers.esp: 3865252 registers.edi: 753488982 registers.eax: 4294939984 registers.ebp: 3955974164 registers.edx: 19369446 registers.ebx: 34105857 registers.esi: 38685657 registers.ecx: 34175505	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 31 d2 ff 34 32 8b 0c 24 51 89 e1 68 cb 86 6a exception.symbol: pigeon_50+0x9e403d exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10371133 exception.address: 0x127403d registers.esp: 3865252 registers.edi: 3340907586 registers.eax: 32569 registers.ebp: 3955974164 registers.edx: 19369446 registers.ebx: 3341235307 registers.esi: 19381041 registers.ecx: 38715985	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 68 52 e2 11 62 89 04 24 89 1c 24 55 bd 1c e0 exception.symbol: pigeon_50+0x9e455b exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10372443 exception.address: 0x127455b registers.esp: 3865252 registers.edi: 3340907586 registers.eax: 32569 registers.ebp: 3955974164 registers.edx: 4294937336 registers.ebx: 3341235307 registers.esi: 19381041 registers.ecx: 44777	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb e9 52 00 00 00 81 ce 63 c2 7f 73 e9 9e 00 00 exception.symbol: pigeon_50+0x9e51e2 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10375650 exception.address: 0x12751e2 registers.esp: 3865252 registers.edi: 3340907586 registers.eax: 29992 registers.ebp: 3955974164 registers.edx: 19381737 registers.ebx: 221611659 registers.esi: 19381041 registers.ecx: 1568143633	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 68 02 c7 0d 4d 89 34 24 89 14 24 68 e1 91 03 exception.symbol: pigeon_50+0x9e4dc6 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10374598 exception.address: 0x1274dc6 registers.esp: 3865252 registers.edi: 3340907586 registers.eax: 4294940032 registers.ebp: 3955974164 registers.edx: 19381737 registers.ebx: 678862221 registers.esi: 19381041 registers.ecx: 1568143633	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 50 83 ec 04 89 3c 24 89 1c 24 89 e3 e9 00 00 exception.symbol: pigeon_50+0x9ec219 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10404377 exception.address: 0x127c219 registers.esp: 3865252 registers.edi: 3340907586 registers.eax: 29623 registers.ebp: 3955974164 registers.edx: 0 registers.ebx: 65798 registers.esi: 19381041 registers.ecx: 19409028	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 68 77 86 4c 54 e9 3e 01 00 00 01 cf e9 14 f8 exception.symbol: pigeon_50+0x9ebdfc exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10403324 exception.address: 0x127bdfc registers.esp: 3865252 registers.edi: 3340907586 registers.eax: 0 registers.ebp: 3955974164 registers.edx: 81129 registers.ebx: 65798 registers.esi: 19381041 registers.ecx: 19382924	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 55 bd 8d 1f f5 6d 45 81 c5 bf 12 c4 77 e9 b3 exception.symbol: pigeon_50+0x9ed53f exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10409279 exception.address: 0x127d53f registers.esp: 3865248 registers.edi: 19384974 registers.eax: 26589 registers.ebp: 3955974164 registers.edx: 81129 registers.ebx: 1019370031 registers.esi: 19381041 registers.ecx: 19382924	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 50 68 00 f4 30 0f 89 34 24 c7 04 24 00 58 9b exception.symbol: pigeon_50+0x9ecea1 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10407585 exception.address: 0x127cea1 registers.esp: 3865252 registers.edi: 19387891 registers.eax: 26589 registers.ebp: 3955974164 registers.edx: 81129 registers.ebx: 157417 registers.esi: 19381041 registers.ecx: 0	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 89 3c 24 bf 37 f5 exception.symbol: pigeon_50+0x9ee526 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10413350 exception.address: 0x127e526 registers.esp: 3865252 registers.edi: 19387891 registers.eax: 28852 registers.ebp: 3955974164 registers.edx: 3939837675 registers.ebx: 0 registers.esi: 19381041 registers.ecx: 19391893	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 50 81 ec 04 00 00 00 89 1c 24 89 e3 52 ba 04 exception.symbol: pigeon_50+0xa04a0f exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10504719 exception.address: 0x1294a0f registers.esp: 3865252 registers.edi: 0 registers.eax: 30480 registers.ebp: 3955974164 registers.edx: 19485671 registers.ebx: 19461644 registers.esi: 322689 registers.ecx: 19220119	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 50 52 e9 5f 02 00 00 57 e9 59 05 00 00 41 81 exception.symbol: pigeon_50+0xa100b8 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10551480 exception.address: 0x12a00b8 registers.esp: 3865252 registers.edi: 19499604 registers.eax: 3909414019 registers.ebp: 3955974164 registers.edx: 0 registers.ebx: 19499572 registers.esi: 19499568 registers.ecx: 19531341	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 68 8b cb 70 2b 89 1c 24 89 14 24 ba 06 8c e3 exception.symbol: pigeon_50+0xa17406 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10580998 exception.address: 0x12a7406 registers.esp: 3865252 registers.edi: 19542983 registers.eax: 19587184 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 19499572 registers.esi: 19499568 registers.ecx: 2572222464	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 53 89 14 24 50 e9 2a fe ff ff 5a 81 c3 04 00 exception.symbol: pigeon_50+0xa1743c exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10581052 exception.address: 0x12a743c registers.esp: 3865252 registers.edi: 19542983 registers.eax: 19559712 registers.ebp: 3955974164 registers.edx: 41591912 registers.ebx: 19499572 registers.esi: 0 registers.ecx: 2572222464	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 f2 03 00 00 89 1c 24 ff 74 24 04 exception.symbol: pigeon_50+0xa17760 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10581856 exception.address: 0x12a7760 registers.esp: 3865252 registers.edi: 19542983 registers.eax: 0 registers.ebp: 3955974164 registers.edx: 19563077 registers.ebx: 401168208 registers.esi: 0 registers.ecx: 1470703944	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 50 89 e0 53 89 0c 24 56 be 5d 49 ef 57 89 f1 exception.symbol: pigeon_50+0xa2741b exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10646555 exception.address: 0x12b741b registers.esp: 3865252 registers.edi: 0 registers.eax: 322689 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 7458409 registers.esi: 19627861 registers.ecx: 2572222464	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 51 89 3c 24 bf 00 ab 5f 7f 81 e7 31 97 4f 57 exception.symbol: pigeon_50+0xa40a64 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10750564 exception.address: 0x12d0a64 registers.esp: 3865248 registers.edi: 2410931074 registers.eax: 19726965 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 2411720647 registers.esi: 2000355340 registers.ecx: 2572222464	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb 52 68 07 75 57 32 e9 85 fa ff ff 05 04 00 00 exception.symbol: pigeon_50+0xa40abf exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10750655 exception.address: 0x12d0abf registers.esp: 3865252 registers.edi: 2410931074 registers.eax: 19758154 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 2411720647 registers.esi: 2000355340 registers.ecx: 2572222464	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb bb 9f bf bd 2e 87 cb 51 f7 14 24 ff 04 24 e9 exception.symbol: pigeon_50+0xa40776 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10749814 exception.address: 0x12d0776 registers.esp: 3865252 registers.edi: 2410931074 registers.eax: 19758154 registers.ebp: 3955974164 registers.edx: 2130566132 registers.ebx: 2411720647 registers.esi: 3076592488 registers.ecx: 4294939176	1
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: fb e9 0c 00 00 00 5a e9 8e 00 00 00 58 e9 f3 02 exception.symbol: pigeon_50+0xa4b795 exception.instruction: sti exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10794901 exception.address: 0x12db795 registers.esp: 3865252 registers.edi: 19354606 registers.eax: 19804429 registers.ebp: 3955974164 registers.edx: 395049983 registers.ebx: 133120 registers.esi: 19354604 registers.ecx: 3738837507	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://telete.in/hcatknife

Performs some HTTP requests (1 event)

request

GET https://telete.in/hcatknife

Allocates read-write-execute memory (usually to unpack itself) (50 out of 173 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745e4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66a91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 4892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 7400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Roaming\Knee\Pigeon_50.exe
file	C:\Users\test22\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
file	C:\Users\test22\AppData\Roaming\Software\Boat_63.exe
file	C:\Users\test22\AppData\Roaming\Software\software.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnk
file	C:\Users\test22\AppData\Local\Temp\nsl313.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\Software\Burden_17.exe

Creates a shortcut to an executable file (3 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnk

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Roaming\Knee\Pigeon_50.exe
file	C:\Users\test22\AppData\Roaming\Software\Boat_63.exe
file	C:\Users\test22\AppData\Roaming\Software\Burden_17.exe
file	C:\Users\test22\AppData\Roaming\Software\software.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\nsl313.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\Software\Burden_17.exe
file	C:\Users\test22\AppData\Roaming\Software\Boat_63.exe
file	C:\Users\test22\AppData\Roaming\Software\software.exe
file	C:\Users\test22\AppData\Roaming\Knee\Pigeon_50.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 9, 2021, 3:21 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW March 9, 2021, 3:21 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 167 events)

url	http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
url	http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
url	http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
url	http://ocsp.verisign.com0
url	http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
url	https://www.verisign.com/rpa
url	http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
url	http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://ocsp.digicert.com0I
url	https://www.verisign.com/rpa0
url	http://crl3.digicert.com/sha2-ha-cs-g1.crl00
url	http://nsis.sf.net/NSIS_Error
url	http://ocsp.digicert.com0R
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
url	https://www.digicert.com/CPS0
url	http://drweb.com/
url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com
url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
url	http://crl.identrust.com/DSTROOTCAX3CRL.crl0
url	http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
url	http://cert.startcom.org/policy.pdf0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://crt.comodoca.com/COMODORSAAddTrustCA.crt0
url	http://users.ocsp.d-trust.net03
url	http://crl.startcom.org/sfsca-crl.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	https://www.verisign.com
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://ocsp.comodoca.com0
url	http://logo.verisign.com/vslogo.gif0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.crc.bg0
url	http://www.acabogacia.org/doc0
url	http://www.e-szigno.hu/SZSZ/0
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://isrg.trustid.ocsp.identrust.com0
url	http://www.quovadis.bm0

Yara rule detected in process memory (50 out of 227 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 85 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA March 9, 2021, 3:21 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 3:21 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnk

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 9, 2021, 3:21 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 e9 42 50 00 00 c7 04 exception.symbol: pigeon_50+0x997a57 exception.instruction: in eax, dx exception.module: Pigeon_50.exe exception.exception_code: 0xc0000096 exception.offset: 10058327 exception.address: 0x1227a57 registers.esp: 3865284 registers.edi: 6369805 registers.eax: 1447909480 registers.ebp: 3955974164 registers.edx: 22104 registers.ebx: 1970540725 registers.esi: 19033551 registers.ecx: 20	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Conjar.1
McAfee	Artemis!F60B8A0C8976
Cylance	Unsafe
Zillya	Backdoor.Agent.Win32.77092
Sangfor	Malware
K7AntiVirus	Trojan ( 005605561 )
Alibaba	TrojanPSW:Win32/Racealer.dcc808c1
K7GW	Trojan ( 005605561 )
Cybereason	malicious.c8976d
Arcabit	Trojan.Conjar.1
Invincea	Mal/Generic-S
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Trojan-Dropper.Win32.Scrop.adhc
BitDefender	Gen:Heur.Conjar.1
NANO-Antivirus	Trojan.Win32.Scrop.hokqtz
Paloalto	generic.ml
AegisLab	Trojan.Win32.Scrop.b!c
Rising	Trojan.Generic@ML.98 (RDMK:YtBuFMVBqD0E6KZV59W4yw)
Ad-Aware	Gen:Heur.Conjar.1
Sophos	Mal/Generic-S
Comodo	Malware@#22era8uyc0f35
DrWeb	Trojan.Siggen9.62311
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R011C0WGN20
McAfee-GW-Edition	Artemis
FireEye	Gen:Heur.Conjar.1
Emsisoft	Gen:Heur.Conjar.1 (B)
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=88)
Antiy-AVL	Trojan[Dropper]/Win32.Scrop
Gridinsoft	Trojan.Win32.Packed.oa
Microsoft	Trojan:Win32/Occamy.CCE
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
GData	Gen:Heur.Conjar.1
AhnLab-V3	Trojan/Win32.Agent.R346540
VBA32	TrojanDropper.Scrop
ALYac	Gen:Heur.Conjar.1
Malwarebytes	Trojan.MalPack.Themida.Generic
ESET-NOD32	multiple detections
TrendMicro-HouseCall	TROJ_GEN.R011C0WGN20
Tencent	Win32.Trojan-dropper.Scrop.Eamt
Ikarus	Trojan.Win32.Themida
eGambit	PE.Heur.InvalidSig
Fortinet	W32/Scrop.VHO!tr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
Qihoo-360	Win32/Virus.RiskTool.c0f

sinqqhd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All