Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 12, 2021, 6:36 p.m.	March 12, 2021, 6:38 p.m.

Size	304.6KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`33f3a04aa01af912b83b4e82c6b9c12e`
SHA256	`3d90f14c88ddacd592856e9e0d657d95e7bbc4bf41a0805cea58fb725bb0d61d`
CRC32	`DF31BCA0`
ssdeep	`3072:ybngKLyBiBQ2bk2VtC+eG2wRW30IGKL4VGeGquKq+Rne9UTINpAfVC+uSiOOS+Ql:ybnLGcB3bk2V8Ep59`
Yara	PE_Header_Zero - PE File Signature Zero Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check

lurdx.exe "C:\Users\test22\AppData\Local\Temp\lurdx.exe"
2416
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\lurdx.exe" -Force
  2084
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
  656
  - timeout.exe timeout 1
    2196
- lurdx.exe "C:\Users\test22\AppData\Local\Temp\lurdx.exe"
  2488

Name	Response	Post-Analysis Lookup
liverpoolofcfanclub.com	A 104.21.31.39 A 172.67.174.240	104.21.31.39

IP Address	Status	Action
104.21.31.39	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameA March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2021, 6:36 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 12, 2021, 6:36 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:36 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:36 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:36 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:36 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:36 p.m.			0	0
IsDebuggerPresent March 12, 2021, 6:36 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\lurd console_handle: 0x00000053	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: x.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1
WriteConsoleW March 12, 2021, 6:36 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 52 events)

Time & API	Arguments	Status	Return
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005898d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00589910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00589910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ed5d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002edfd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002edfd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002edfd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002edfd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002edfd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002edfd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ed410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ed410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ed410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002edcd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ede10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ee090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 12, 2021, 6:37 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 12, 2021, 6:36 p.m.		1	1	0

One or more processes crashed (10 events)

Time & API	Arguments	Status
__exception__ March 12, 2021, 6:36 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x2f45b0 @ 0x6ff345b0 mscorlib+0x2f74d4 @ 0x6ff374d4 mscorlib+0x327e5c @ 0x6ff67e5c 0x62443e 0x62019e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 4320156 registers.edi: 0 registers.eax: 4320156 registers.ebp: 4320236 registers.edx: 0 registers.ebx: 6139752 registers.esi: 5330688 registers.ecx: 1861961528	1
__exception__ March 12, 2021, 6:36 p.m.	stacktrace: 0x6176444 0x6161a61 0x62e819 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x727c564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x7279be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x7279b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x7279b726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x7279bf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x7279bce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x7275cca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x7275cd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x72848841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x727c14e9 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d microsoft+0x50c17 @ 0x6f130c17 microsoft+0x3f33f @ 0x6f11f33f microsoft+0x3edf8 @ 0x6f11edf8 microsoft+0x3e3b9 @ 0x6f11e3b9 microsoft+0x17e980 @ 0x6f25e980 0x62e7f6 0x62e238 0x6201dc DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 62 3b d4 69 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x617757b registers.esp: 4314964 registers.edi: 4314984 registers.eax: 0 registers.ebp: 4314996 registers.edx: 37491240 registers.ebx: 4315792 registers.esi: 37491240 registers.ecx: 0	1
__exception__ March 12, 2021, 6:36 p.m.	stacktrace: 0x6177515 0x6161a61 0x62e819 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x727c564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x7279be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x7279b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x7279b726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x7279bf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x7279bce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x7275cca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x7275cd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x72848841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x727c14e9 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d microsoft+0x50c17 @ 0x6f130c17 microsoft+0x3f33f @ 0x6f11f33f microsoft+0x3edf8 @ 0x6f11edf8 microsoft+0x3e3b9 @ 0x6f11e3b9 microsoft+0x17e980 @ 0x6f25e980 0x62e7f6 0x62e238 0x6201dc DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 62 3b d4 69 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x617757b registers.esp: 4314964 registers.edi: 4314984 registers.eax: 0 registers.ebp: 4314996 registers.edx: 117404300 registers.ebx: 4315792 registers.esi: 117404300 registers.ecx: 0	1
__exception__ March 12, 2021, 6:36 p.m.	stacktrace: 0x617cc2e 0x617c187 0x61777af DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d microsoft+0x50c17 @ 0x6f130c17 microsoft+0x3f33f @ 0x6f11f33f microsoft+0x3edf8 @ 0x6f11edf8 microsoft+0x3e3b9 @ 0x6f11e3b9 microsoft+0x17e980 @ 0x6f25e980 0x62e7f6 0x62e238 0x6201dc DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 eb 3e 8d 55 e0 0f b6 01 88 02 0f b6 41 01 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0x324f62 exception.address: 0x6ff64f62 registers.esp: 4317764 registers.edi: 4317788 registers.eax: 0 registers.ebp: 4317800 registers.edx: 0 registers.ebx: 117694192 registers.esi: 4194364 registers.ecx: 4194364	1
__exception__ March 12, 2021, 6:36 p.m.	stacktrace: 0xbc17d8 0xbc0ffb DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 4b d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbc1c4b registers.esp: 3666720 registers.edi: 3666744 registers.eax: 0 registers.ebp: 3666756 registers.edx: 195 registers.ebx: 3667012 registers.esi: 35677784 registers.ecx: 0	1
__exception__ March 12, 2021, 6:37 p.m.	stacktrace: 0xbc6d09 0xbc1569 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 82 4a 36 6f exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbca23e registers.esp: 3665464 registers.edi: 0 registers.eax: 35896244 registers.ebp: 3665512 registers.edx: 35896244 registers.ebx: 35895476 registers.esi: 35895440 registers.ecx: 1875134866	1
__exception__ March 12, 2021, 6:37 p.m.	stacktrace: 0xbc6fec 0xbc1569 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbcd461 registers.esp: 3665460 registers.edi: 3665500 registers.eax: 3 registers.ebp: 3665512 registers.edx: 0 registers.ebx: 35825440 registers.esi: 35962360 registers.ecx: 0	1
__exception__ March 12, 2021, 6:37 p.m.	stacktrace: 0xbc1569 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 83 7b 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [ebx + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbc70cc registers.esp: 3665520 registers.edi: 35972924 registers.eax: 35972924 registers.ebp: 3666792 registers.edx: 35972924 registers.ebx: 0 registers.esi: 0 registers.ecx: 35136160	1
__exception__ March 12, 2021, 6:37 p.m.	stacktrace: 0xbc7b5e 0xbc1569 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 6e 45 c9 6a 83 78 04 00 0f 84 3b 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x521c577 registers.esp: 3665432 registers.edi: 3665496 registers.eax: 0 registers.ebp: 3665512 registers.edx: 3665400 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ March 12, 2021, 6:37 p.m.	stacktrace: 0xbc7c04 0xbc1569 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 39 40 c9 6a 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x521caac registers.esp: 3665448 registers.edi: 3665496 registers.eax: 0 registers.ebp: 3665512 registers.edx: 3665416 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5CE6D87A01BDFF577E36CDA694150723.html
request	GET http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9C0C5071597064159707491C94EAD1DB.html
request	GET http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BB4F0127925FA3CC2062530FDF7A3934.html

Allocates read-write-execute memory (usually to unpack itself) (50 out of 234 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00312000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06151000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06171000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06172000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06175000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06176000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06178000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06179000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0617a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0617b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0617c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0617d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cbc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cbc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	cmd.exe /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\lurdx.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\lurdx.exe" -Force

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 12, 2021, 6:36 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\lurdx.exe" -Force filepath: powershell	1	1	0
ShellExecuteExW March 12, 2021, 6:36 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW March 12, 2021, 6:36 p.m.	newfilepath_r: C:\Users\test22\AppData\Local\Invincible\lurdx.exe_Url_cwmnl1caaqpdyf5ohbp03egzqp5iwndo\7.247.450.81\user.config flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\Invincible\lurdx.exe_Url_cwmnl1caaqpdyf5ohbp03egzqp5iwndo\7.247.450.81\gqy5mipv.newcfg newfilepath: C:\Users\test22\AppData\Local\Invincible\lurdx.exe_Url_cwmnl1caaqpdyf5ohbp03egzqp5iwndo\7.247.450.81\user.config oldfilepath: C:\Users\test22\AppData\Local\Invincible\lurdx.exe_Url_cwmnl1caaqpdyf5ohbp03egzqp5iwndo\7.247.450.81\gqy5mipv.newcfg	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 12, 2021, 6:36 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 12, 2021, 6:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 12, 2021, 6:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 12, 2021, 6:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 548 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
url	http://www.signatur.rtr.at/de/directory/cps.html0
url	http://www.globaltrust.info0

Yara rule detected in process memory (50 out of 251 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 12, 2021, 6:36 p.m.	status_code: 0xffffffff process_identifier: 2416 process_handle: 0x00000230		0	0
NtTerminateProcess March 12, 2021, 6:36 p.m.	status_code: 0xffffffff process_identifier: 2416 process_handle: 0x00000230		3221225738	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2488 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000006a8	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 12, 2021, 6:36 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

lurdx.exe tried to sleep 13641049 seconds, actually delayed analysis time by 13641049 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\icloud

reg_value

C:\Users\test22\AppData\Roaming\icloud\icloud.exe

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELæ2G`àV¾u @ À@duWÀ H.textÄU V `.rsrcÀX@@.reloc \@B base_address: 0x00400000 process_identifier: 2488 process_handle: 0x000006a8	1	1
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: 0 HXhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsOVMu XaAr(CompanyNamePqQ8FileDescriptionOGq SwV0FileVersion1.7.5.7: InternalNameIKuE PLB.exez+LegalCopyrightCopyright 2020 © Zmc. All rights reserved.2LegalTrademarksTSXaB OriginalFilenameIKuE PLB.exe2 ProductNameIKuE PLB4ProductVersion0.5.0.08Assembly Version0.5.0.0DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00438000 process_identifier: 2488 process_handle: 0x000006a8	1	1
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: pÀ5 base_address: 0x0043a000 process_identifier: 2488 process_handle: 0x000006a8	1	1
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2488 process_handle: 0x000006a8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELæ2G`àV¾u @ À@duWÀ H.textÄU V `.rsrcÀX@@.reloc \@B base_address: 0x00400000 process_identifier: 2488 process_handle: 0x000006a8	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW March 12, 2021, 6:37 p.m.	thread_identifier: 0 callback_function: 0x009e13ca hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	4719327	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2416 called NtSetContextThread to modify thread in remote process 2488
NtSetContextThread March 12, 2021, 6:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421054 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000690 process_identifier: 2488	1	0	0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

url	https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hash%%torpass%https://www.theonionrouter.com/dist.torproject.org/torbrowser/

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\icloud\icloud.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2416 resumed a thread in remote process 2488
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x00000690 suspend_count: 1 process_identifier: 2488	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Executed a process and injected code into it, probably while unpacking (50 out of 64 events)

Time & API	Arguments	Status	Return
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000005a4 suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000005f4 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread March 12, 2021, 6:36 p.m.	registers.eip: 1920740228 registers.esp: 4320364 registers.edi: 38910080 registers.eax: 5177454 registers.ebp: 4320368 registers.edx: 38895212 registers.ebx: 0 registers.esi: 7432 registers.ecx: 108662776 thread_handle: 0x000000e0 process_identifier: 2416	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2416	1	0
CreateProcessInternalW March 12, 2021, 6:36 p.m.	thread_identifier: 2276 thread_handle: 0x0000066c process_identifier: 2084 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\lurdx.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000670	1	1
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x0000068c suspend_count: 1 process_identifier: 2416	1	0
CreateProcessInternalW March 12, 2021, 6:36 p.m.	thread_identifier: 2672 thread_handle: 0x000006a0 process_identifier: 656 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006b4	1	1
CreateProcessInternalW March 12, 2021, 6:36 p.m.	thread_identifier: 2316 thread_handle: 0x00000690 process_identifier: 2488 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\lurdx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\lurdx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000006a8	1	1
NtGetContextThread March 12, 2021, 6:36 p.m.	thread_handle: 0x00000690	1	0
NtAllocateVirtualMemory March 12, 2021, 6:36 p.m.	process_identifier: 2488 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000006a8	1	0
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELæ2G`àV¾u @ À@duWÀ H.textÄU V `.rsrcÀX@@.reloc \@B base_address: 0x00400000 process_identifier: 2488 process_handle: 0x000006a8	1	1
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: base_address: 0x00402000 process_identifier: 2488 process_handle: 0x000006a8	1	1
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: 0 HXhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsOVMu XaAr(CompanyNamePqQ8FileDescriptionOGq SwV0FileVersion1.7.5.7: InternalNameIKuE PLB.exez+LegalCopyrightCopyright 2020 © Zmc. All rights reserved.2LegalTrademarksTSXaB OriginalFilenameIKuE PLB.exe2 ProductNameIKuE PLB4ProductVersion0.5.0.08Assembly Version0.5.0.0DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00438000 process_identifier: 2488 process_handle: 0x000006a8	1	1
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: pÀ5 base_address: 0x0043a000 process_identifier: 2488 process_handle: 0x000006a8	1	1
WriteProcessMemory March 12, 2021, 6:36 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2488 process_handle: 0x000006a8	1	1
NtSetContextThread March 12, 2021, 6:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421054 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000690 process_identifier: 2488	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x00000690 suspend_count: 1 process_identifier: 2488	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread March 12, 2021, 6:36 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2084	1	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen12.32952
MicroWorld-eScan	Trojan.GenericKD.45870175
ALYac	Trojan.GenericKD.45870175
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 00578e7c1 )
Alibaba	Trojan:MSIL/Generic.52c095f1
K7GW	Trojan-Downloader ( 00578e7c1 )
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Generic.D2BBEC5F
BitDefenderTheta	Gen:NN.ZemsilF.34608.tm1@aqgx2zf
Cyren	W32/MSIL_Kryptik.DLT.gen!Eldorado
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.HNL
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 85)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.45870175
AegisLab	Trojan.MSIL.Agensla.i!c
Rising	Downloader.Agent!8.B23 (CLOUD)
Ad-Aware	Trojan.GenericKD.45870175
Emsisoft	Trojan.GenericKD.45870175 (B)
Comodo	Malware@#2xijbdxh5eco5
F-Secure	Trojan.TR/Dldr.Agent.nemwg
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.THCAABA
McAfee-GW-Edition	RDN/Generic Downloader.x
FireEye	Generic.mg.33f3a04aa01af912
Sophos	Mal/Generic-S
Webroot	W32.Trojan.GenKD
Avira	TR/Dldr.Agent.nemwg
MAX	malware (ai score=87)
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Kingsoft	Win32.Heur.KVM019.a.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.oa
Microsoft	Trojan:Win32/Ymacco.AB12
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.45870175
McAfee	RDN/Generic Downloader.x
Malwarebytes	Spyware.AgentTesla
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.THCAABA
Tencent	Win32.Trojan.Inject.Auto
Fortinet	MSIL/Agent.HNL!tr.dldr
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]
Qihoo-360	Win32/TrojanSpy.AgentTesla.HgIASQgA

lurdx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All