Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 15, 2023, 12:05 p.m.	March 15, 2023, 12:07 p.m.

Size	3.8MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d07b7112b39c9eee7eaeba1adb099543`
SHA256	`1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a`
CRC32	`D677AB3F`
ssdeep	`98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm`
Yara	Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

pganjz.exe "C:\Users\test22\AppData\Local\Temp\pganjz.exe"
1932
- vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2068
  - vbc.exe -a "C:\Users\test22\AppData\Local\1868f947\plg\vqoXGIV8.json"
    3004
    - vbc.exe -a "C:\Users\test22\AppData\Local\Temp\unk.xml"
      2088
- cmd.exe "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\tewu"
  2132
- cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f
  2172
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f
    2308
- cmd.exe "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\pganjz.exe" "C:\Users\test22\AppData\Roaming\tewu\tewu.exe"
  2228

Name	Response	Post-Analysis Lookup
www.xenarmor.com	CNAME xenarmor.com A 69.64.94.128	69.64.94.128

IP Address	Status	Action
164.124.101.2	Active	Moloch
69.64.94.128	Active	Moloch
74.201.28.92	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 74.201.28.92:3569	906200095	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 192.168.56.103:49169 -> 74.201.28.92:3569	906200095	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 192.168.56.103:49175 -> 69.64.94.128:80	2030616	ET POLICY XenArmor Password Recovery License Check	Potential Corporate Privacy Violation
TCP 192.168.56.103:49201 -> 74.201.28.92:3569	906200095	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49168 74.201.28.92:3569	CN=B2tp	CN=B2tp	a9:51:15:4c:b3:e1:b0:c2:63:da:2f:13:57:33:e2:1f:69:4a:59:80
TLS 1.2 192.168.56.103:49169 74.201.28.92:3569	CN=B2tp	CN=B2tp	a9:51:15:4c:b3:e1:b0:c2:63:da:2f:13:57:33:e2:1f:69:4a:59:80
TLS 1.2 192.168.56.103:49201 74.201.28.92:3569	CN=B2tp	CN=B2tp	a9:51:15:4c:b3:e1:b0:c2:63:da:2f:13:57:33:e2:1f:69:4a:59:80

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 15, 2023, 12:05 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 15, 2023, 12:05 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 15, 2023, 12:05 p.m.			0	0
IsDebuggerPresent March 15, 2023, 12:05 p.m.			0	0

Command line console output was observed (20 events)

Time & API	Arguments	Status	Return
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Password Recovery Status console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering Browser Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering Email Client Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering Messenger Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering FTP Client Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering Download Manager Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering Database Manager Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering All Other Apps Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering Credential Manager Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: [*] Recovering Wi-Fi Passwords... console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: Password Recovery Result console_handle: 0x00000007	1	1
WriteConsoleA March 15, 2023, 12:06 p.m.	buffer: No stored passwords found. Please change the input parameters and try again Type .exe -h for more options & examples console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 15, 2023, 12:05 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://www.xenarmor.com/xen-check-portable-license.php?key=øÞÞ~nr%5DE%1C²%12a¸Bô%0D%17X0%1E&email=SDÌãéQa4i%19èQûþóuÀc;êf:Í5$×rAV&productid=5701

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00965000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0096b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00967000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0094c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0093a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00956000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0095a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00957000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0094a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (34 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\

Creates executable files on the filesystem (20 events)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\mozglue.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\nss3.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\freebl3.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\softokn3.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\msvcp140.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\vcruntime140.dll

Creates hidden or system file (6 events)

Time & API	Arguments	Status	Return
SetFileAttributesW March 15, 2023, 12:06 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\External filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\External	1	1
SetFileAttributesW March 15, 2023, 12:06 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt	1	1
SetFileAttributesW March 15, 2023, 12:06 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor	1	1
SetFileAttributesW March 15, 2023, 12:06 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll	1	1
SetFileAttributesW March 15, 2023, 12:06 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\unk.xml filepath: C:\Users\test22\AppData\Local\Temp\unk.xml	1	1
SetFileAttributesW March 15, 2023, 12:06 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\1868f947\plg\vqoXGIV8.json filepath: C:\Users\test22\AppData\Local\1868f947\plg\vqoXGIV8.json	1	1

Creates a suspicious process (2 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 15, 2023, 12:05 p.m.	thread_identifier: 2136 thread_handle: 0x0000029c process_identifier: 2132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\tewu" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002ac	1	1
CreateProcessInternalW March 15, 2023, 12:05 p.m.	thread_identifier: 2176 thread_handle: 0x0000029c process_identifier: 2172 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1
CreateProcessInternalW March 15, 2023, 12:05 p.m.	thread_identifier: 2232 thread_handle: 0x0000029c process_identifier: 2228 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\pganjz.exe" "C:\Users\test22\AppData\Roaming\tewu\tewu.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002bc	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003c8600', u'virtual_address': u'0x00002000', u'entropy': 7.9995498740520015, u'name': u'.text', u'virtual_size': u'0x003c8441'}

entropy

7.99954987405

description

A section with a high entropy has been found

entropy

0.995630381699

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 15, 2023, 12:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 12:05 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 15, 2023, 12:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://curl.haxx.se/docs/http-cookies.html

Yara rule detected in process memory (40 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Communications smtp	rule	network_smtp_raw
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA March 15, 2023, 12:06 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Navigator_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Navigator_is1		2	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"cmd" /c mkdir "C:\Users\test22\AppData\Roaming\tewu"
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 368878a5ba7c1d7d054579b5cee41cdc723b67c6
buffer	Buffer with sha1: 3b112949486c78feaabadebf814c4ba692663a98

Communicates with host for which no DNS query was performed (1 event)

host

74.201.28.92

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2068 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 3004 region_size: 5095424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	1
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 2088 region_size: 3137536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000084	1

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data\Default\
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data\Default\

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 15, 2023, 12:05 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 5456869 seconds, actually delayed analysis time by 5456869 seconds

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f

Harvests credentials from local FTP client softwares (12 events)

file	C:\Users\test22\AppData\Roaming\FTP Explorer\profiles.xml
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPRush\RushSite.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
registry	HKEY_LOCAL_MACHINE\Software\SoftX.org\FTPClient\Sites
registry	HKEY_CURRENT_USER\Software\SoftX.org\FTPClient\Sites
registry	HKEY_CURRENT_USER\Software\Sota\FFFTP\Options
registry	HKEY_CURRENT_USER\Software\Cryer\WebSitePublisher
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\CoreFTP\Sites

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW March 15, 2023, 12:05 p.m.	thread_identifier: 0 callback_function: 0x0050f84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	393701	0

Harvests information related to installed instant messenger clients (8 events)

file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\Trillian\users\global\accounts.ini
file	C:\Users\test22\AppData\Roaming\Xfire\XfireUser.ini
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\IMVU\username
registry	HKEY_CURRENT_USER\Software\IMVU\password
registry	HKEY_CURRENT_USER\Software\Paltalk

Potential code injection by writing to the memory of another process (7 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@.ÔÌ8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: base_address: 0x007a8000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: eÐføg hHipjkÀlèmn8o`pq°rØst(uPvxw xÈyð è´ °A8K 8è8W ` ä0I P-8O °\|8K ØÀÇ8I ø8q (08g Phé8Y x B0_ Ð¡À[ Èý8Q ðÈN8I Ð @Ð« Ð h Ë"8· Ø)Ðû ¸¨~<Ð3 àx²>HG Àù?gT´M@´M´Mb´Mp´M´MKERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect base_address: 0x008db000 process_identifier: 3004 process_handle: 0x000003a0	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3004 process_handle: 0x000003a0	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: PÒ/¤Ñ/]Ò/¬Ñ/iÒ/´Ñ/sÒ/¼Ñ/Ò/ÄÑ/Ò/ÌÑ/Ò/àÑ/¢Ò/èÑ/¬Ò/ðÑ/·Ò/øÑ/ÄÒ/Ò/ÑÒ/Ò/ÜÒ/Ò/èÒ/Ò/ôÒ/ Ò/ÿÒ/(Ò/Ó/0Ò/Ó/8Ò/#Ó/@Ò/-Ó/HÒ/:Ó/DÓ/XÓ/`Ó/jÓ/Ó/zÓ/Ó/¦Ó/¶Ó/ÂÓ/ÎÓ/ÈâÓ/ôÓ/Ô/Ô/Ô/&Ô/HÔ/VÔ/fÔ/rÔ/ADVAPI32.dllCRYPT32.dllGDI32.dllgdiplus.dllIMM32.dllKERNEL32.DLLMSIMG32.dllole32.dllOLEACC.dllOLEAUT32.dllRASAPI32.dllRPCRT4.dllSHELL32.dllSHLWAPI.dllUSER32.dllUSERENV.dllUxTheme.dllVERSION.dllWINMM.dllWINSPOOL.DRVLsaCloseCryptUnprotectDataLPtoDPGdipFreeImmGetContextExitProcessGetProcAddressLoadLibraryAVirtualProtectAlphaBlendDoDragDropLresultFromObjectRasEnumEntriesAUuidFromStringADragFinishPathIsUNCAGetDCExpandEnvironmentStringsForUserAIsAppThemedVerQueryValueAPlaySoundAOpenPrinterA base_address: 0x006fd000 process_identifier: 2088 process_handle: 0x00000084	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2088 process_handle: 0x00000084	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@.ÔÌ8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000294	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW March 15, 2023, 12:05 p.m.	thread_identifier: 0 callback_function: 0x004ca8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	131559	0

Harvests credentials from local email clients (7 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Program Files\Foxmail 7.0\Data\AccCfg\Accounts.tdat
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\POP3 User
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1932 called NtSetContextThread to modify thread in remote process 2068
Process injection	Process 2068 called NtSetContextThread to modify thread in remote process 3004
Process injection	Process 3004 called NtSetContextThread to modify thread in remote process 2088
NtSetContextThread March 15, 2023, 12:05 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000290 process_identifier: 2068	1	0	0
NtSetContextThread March 15, 2023, 12:06 p.m.	registers.eip: 2005598660 registers.esp: 1570864 registers.edi: 0 registers.eax: 9281504 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000038c process_identifier: 3004	1	0	0
NtSetContextThread March 15, 2023, 12:06 p.m.	registers.eip: 2005598660 registers.esp: 1506248 registers.edi: 0 registers.eax: 7324112 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000080 process_identifier: 2088	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

winlogon.exe

Putty Files, Registry Keys and/or Mutexes Detected

Appends a known multi-family ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Local\1868f947\plg\c039198306863035fea360c1237d8088.enc

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1932 resumed a thread in remote process 2068
Process injection	Process 2068 resumed a thread in remote process 3004
Process injection	Process 3004 resumed a thread in remote process 2088
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2068	1	0	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 3004	1	0	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x00000080 suspend_count: 1 process_identifier: 2088	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 73 events)

Time & API	Arguments	Status	Return
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1932	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1932	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1932	1	0
CreateProcessInternalW March 15, 2023, 12:05 p.m.	thread_identifier: 2072 thread_handle: 0x00000290 process_identifier: 2068 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000294	1	1
NtGetContextThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000290	1	0
NtAllocateVirtualMemory March 15, 2023, 12:05 p.m.	process_identifier: 2068 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@.ÔÌ8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: base_address: 0x00401000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: base_address: 0x006e0000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: base_address: 0x0078c000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: base_address: 0x007a6000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: base_address: 0x007a8000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: base_address: 0x007a9000 process_identifier: 2068 process_handle: 0x00000294	1	1
WriteProcessMemory March 15, 2023, 12:05 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2068 process_handle: 0x00000294	1	1
NtSetContextThread March 15, 2023, 12:05 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000290 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW March 15, 2023, 12:05 p.m.	thread_identifier: 2136 thread_handle: 0x0000029c process_identifier: 2132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\tewu" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002ac	1	1
CreateProcessInternalW March 15, 2023, 12:05 p.m.	thread_identifier: 2176 thread_handle: 0x0000029c process_identifier: 2172 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\tewu\tewu.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1
CreateProcessInternalW March 15, 2023, 12:05 p.m.	thread_identifier: 2232 thread_handle: 0x0000029c process_identifier: 2228 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\pganjz.exe" "C:\Users\test22\AppData\Roaming\tewu\tewu.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002bc	1	1
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000378 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:05 p.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW March 15, 2023, 12:06 p.m.	thread_identifier: 3008 thread_handle: 0x0000038c process_identifier: 3004 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: -a "C:\Users\test22\AppData\Local\1868f947\plg\vqoXGIV8.json" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a0	1	1
NtGetContextThread March 15, 2023, 12:06 p.m.	thread_handle: 0x0000038c	1	0
NtAllocateVirtualMemory March 15, 2023, 12:06 p.m.	process_identifier: 3004 region_size: 5095424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	1	0
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: base_address: 0x00400000 process_identifier: 3004 process_handle: 0x000003a0	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: base_address: 0x00401000 process_identifier: 3004 process_handle: 0x000003a0		0
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: base_address: 0x00578000 process_identifier: 3004 process_handle: 0x000003a0	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: eÐføg hHipjkÀlèmn8o`pq°rØst(uPvxw xÈyð è´ °A8K 8è8W ` ä0I P-8O °\|8K ØÀÇ8I ø8q (08g Phé8Y x B0_ Ð¡À[ Èý8Q ðÈN8I Ð @Ð« Ð h Ë"8· Ø)Ðû ¸¨~<Ð3 àx²>HG Àù?gT´M@´M´Mb´Mp´M´MKERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect base_address: 0x008db000 process_identifier: 3004 process_handle: 0x000003a0	1	1
WriteProcessMemory March 15, 2023, 12:06 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3004 process_handle: 0x000003a0	1	1
NtSetContextThread March 15, 2023, 12:06 p.m.	registers.eip: 2005598660 registers.esp: 1570864 registers.edi: 0 registers.eax: 9281504 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000038c process_identifier: 3004	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 3004	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread March 15, 2023, 12:06 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2068	1	0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Generic.mgtv
Elastic	malicious (high confidence)
FireEye	Generic.mg.d07b7112b39c9eee
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
Alibaba	Trojan:MSIL/Kryptik.9cbfdf9b
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Kryptik.AHUA
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:RATX-gen [Trj]
Sophos	ML/PE-A
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/BirRat.MK!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	MSIL.Backdoor.AMRat.PVLI1P
Acronis	suspicious
McAfee	Artemis!D07B7112B39C
Malwarebytes	Trojan.Crypt.MSIL
Rising	Malware.Obfus/MSIL@AI.96 (RDM.MSIL2:J1E7wVOxxlLglEN44NcoFA)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AHBB!tr
BitDefenderTheta	Gen:NN.ZemsilF.36344.Zp0@aKvLkrmi
AVG	Win32:RATX-gen [Trj]

pganjz.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All