winlog.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 15, 2021, 10:13 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 15, 2021, 10:13 a.m.	process_identifier: 1756 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsi6367.tmp\x369itfv9itih1g.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsi6367.tmp\x369itfv9itih1g.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 15, 2021, 10:13 a.m.	snapshot_handle: 0x000001e4 process_name: winlog.exe process_identifier: 1896	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 15, 2021, 10:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (50 out of 125 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://nsis.sf.net/NSIS_Error
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0

Yara rule detected in process memory (50 out of 85 events)

description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Create a windows service				rule	create_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	Record Audio				rule	sniff_audio
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west using share drive				rule	spreading_share
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__ConsoleCtrl
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	(no description)				rule	Check_Dlls
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook
description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Hijack network configuration				rule	hijack_network
description	Create a windows service				rule	create_service
description	Create a COM server				rule	create_com_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 1896 called NtSetContextThread to modify thread in remote process 1756
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread March 15, 2021, 10:13 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4313088 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000200 process_identifier: 1756	1	0	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.45881237
ALYac	Trojan.Agent.FormBook
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0057909a1 )
Alibaba	TrojanSpy:Win32/SpyNoon.1cd04aaa
K7GW	Trojan ( 0057909a1 )
Cybereason	malicious.470319
Arcabit	Trojan.Generic.D2BC1795
Cyren	W32/Kryptik.DOX.gen!Eldorado
TrendMicro-HouseCall	TROJ_GEN.R002H0CCB21
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender	Trojan.GenericKD.45881237
Paloalto	generic.ml
AegisLab	Trojan.Win32.Malicious.4!c
Ad-Aware	Trojan.GenericKD.45881237
Sophos	ML/PE-A
Comodo	Malware@#2e69weu58vajy
DrWeb	Trojan.Siggen12.35060
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Vopak.dc
FireEye	Generic.mg.9bdc8f00b437a66c
Emsisoft	Trojan.Injector (A)
APEX	Malicious
ESET-NOD32	a variant of Win32/Injector.EOVE
Webroot	W32.Trojan.Gen
Avira	TR/AD.Swotter.owqbh
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa
Microsoft	Trojan:Win32/SpyNoon.SS!MTB
GData	Trojan.GenericKD.45881237
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Nsis.C4371168
McAfee	Formbook.f
Malwarebytes	Trojan.Loader
Ikarus	Trojan.Win32.Injector
Rising	Trojan.Injector!8.C4 (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Injector.AFS!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_80% (W)
Qihoo-360	Win32/Trojan.Generic.HoMASQkA