Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 30, 2021, 10:56 a.m.	July 30, 2021, 11:12 a.m.

Size	629.7KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f7ba0f7a61b8b51a5e1823d5fd274d12`
SHA256	`97230d986df3ea5ab1a95966a7cd14ff73744912d34edb7a72776b78440d9293`
CRC32	`CB09836C`
ssdeep	`12288:6WGdbu38g1hhiyCCaXNQY0ERzcUKHYjzp489c93P7r9r/+ppppppppppppppppp6:6WKC8gXs7Cz89KHezKv1qzyb`
PDB Path	@
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

faktura-77_2021-3.pdf.exe "C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe"
2216
- faktura-77_2021-3.pdf.exe C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe
  1512
  - cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe"
    2704
    - timeout.exe timeout /T 10 /NOBREAK
      2884

Name	Response	Post-Analysis Lookup
telete.in	A 195.201.225.248	195.201.225.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.234.247.75	Active	Moloch
195.201.225.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.234.247.75:80 -> 192.168.56.101:49204	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.234.247.75:80 -> 192.168.56.101:49204	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.234.247.75:80 -> 192.168.56.101:49204	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49203 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	1d:7b:94:0d:d6:f9:85:f3:66:74:d5:1d:98:0c:7a:28:5b:c0:62:44

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 30, 2021, 11:11 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2021, 10:56 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:56 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey July 30, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 30, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0ed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 30, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0ed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 30, 2021, 10:56 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.234.247.75/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.234.247.75//l/f/eAYt9XoBagrSXdgRtW3j/147c164f57246ff52d187892d033ff5af5d2df92
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.234.247.75//l/f/eAYt9XoBagrSXdgRtW3j/e9bed5f88e62036906900574f1e28599a7f8d5d3
suspicious_features	GET method with no useragent header	suspicious_request	GET https://telete.in/uidesopencardtop

Performs some HTTP requests (4 events)

request	POST http://185.234.247.75/
request	GET http://185.234.247.75//l/f/eAYt9XoBagrSXdgRtW3j/147c164f57246ff52d187892d033ff5af5d2df92
request	GET http://185.234.247.75//l/f/eAYt9XoBagrSXdgRtW3j/e9bed5f88e62036906900574f1e28599a7f8d5d3
request	GET https://telete.in/uidesopencardtop

Sends data using the HTTP POST Method (1 event)

request

POST http://185.234.247.75/

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00591000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00593000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00598000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00599000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (50 out of 59 events)

file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ldif60.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-math-l1-1-0.dll

Creates a suspicious process (1 event)

cmdline

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe"

Drops an executable to the user AppData folder (50 out of 58 events)

file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-multibyte-l1-1-0.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 30, 2021, 11:11 a.m.	thread_identifier: 2716 thread_handle: 0x000005a8 process_identifier: 2704 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005ac	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00065400', u'virtual_address': u'0x00002000', u'entropy': 7.907379970004114, u'name': u'.text', u'virtual_size': u'0x00065298'}

entropy

7.90737997

description

A section with a high entropy has been found

entropy

0.655339805825

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 30, 2021, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (40 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExW July 30, 2021, 11:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe"

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 065c44bbe576f7a71c73d1a0752dafd3ec2c3085

Communicates with host for which no DNS query was performed (1 event)

host

185.234.247.75

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 1512 region_size: 610304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA July 30, 2021, 11:11 a.m.	key_handle: 0x00000484 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Elastic	malicious (high confidence)
Alibaba	Trojan:MSIL/Kryptik.477b7962
Cybereason	malicious.a552f1
Cyren	W32/Faker.J.gen!Eldorado
ESET-NOD32	a variant of MSIL/Kryptik.ACEC
Paloalto	generic.ml
Kaspersky	UDS:Trojan-PSW.MSIL.Racealer.gen
Avast	FileRepMalware
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Suspicious PE
Gridinsoft	Trojan.Win32.Gen.se!i
Microsoft	Trojan:Win32/AgentTesla!ml
McAfee	Artemis!F7BA0F7A61B8
Malwarebytes	Backdoor.Agent.PDL
AVG	FileRepMalware

Harvests credentials from local email clients (4 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 called NtSetContextThread to modify thread in remote process 1512
NtSetContextThread July 30, 2021, 10:56 a.m.	registers.eip: 2000355780 registers.esp: 2751808 registers.edi: 0 registers.eax: 4456511 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 1512	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 resumed a thread in remote process 1512
NtResumeThread July 30, 2021, 10:56 a.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 1512	1	0	0

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
NtResumeThread July 30, 2021, 10:56 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread July 30, 2021, 10:56 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2216	1	0
NtResumeThread July 30, 2021, 10:56 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2216	1	0
CreateProcessInternalW July 30, 2021, 10:56 a.m.	thread_identifier: 2364 thread_handle: 0x0000021c process_identifier: 1512 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000220	1	1
NtUnmapViewOfSection July 30, 2021, 10:56 a.m.	base_address: 0x00400000 region_size: 9502720 process_identifier: 1512 process_handle: 0x00000220		3221225497
NtAllocateVirtualMemory July 30, 2021, 10:56 a.m.	process_identifier: 1512 region_size: 610304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
NtGetContextThread July 30, 2021, 10:56 a.m.	thread_handle: 0x0000021c	1	0
NtSetContextThread July 30, 2021, 10:56 a.m.	registers.eip: 2000355780 registers.esp: 2751808 registers.edi: 0 registers.eax: 4456511 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 1512	1	0
NtResumeThread July 30, 2021, 10:56 a.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 1512	1	0
NtResumeThread July 30, 2021, 11:10 a.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 1512	1	0
CreateProcessInternalW July 30, 2021, 11:11 a.m.	thread_identifier: 2716 thread_handle: 0x000005a8 process_identifier: 2704 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\faktura-77_2021-3.pdf.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005ac	1	1
CreateProcessInternalW July 30, 2021, 11:11 a.m.	thread_identifier: 1816 thread_handle: 0x00000088 process_identifier: 2884 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout /T 10 /NOBREAK filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1

faktura-77_2021-3.pdf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All