Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 20, 2023, 11:26 a.m.	March 20, 2023, 11:28 a.m.

Size	7.5MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`1431d295525534f244dd34a8a311b87f`
SHA256	`60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e`
CRC32	`F2EFE817`
ssdeep	`24576:2H5qGTyaJEUcmADwRqPACrUJJiILBCR5LpWKMuy1rnwNnNQx/PEEDnpfuZWI9pIx:4qGTyMEQADwwACagk+lKo83Vz1`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check anti_vm_detect - Possibly employs anti-virtualization techniques IsPE64 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

St4_soft.exe "C:\Users\test22\AppData\Local\Temp\St4_soft.exe"
2068
- St4_soft.exe "C:\Users\test22\AppData\Local\Temp\St4_soft.exe"
  2136
  - WMIC.exe wmic os get Caption
    2272
  - cmd.exe cmd /C "wmic path win32_VideoController get name"
    2400
    - WMIC.exe wmic path win32_VideoController get name
      2460
  - cmd.exe cmd /C "wmic cpu get name"
    2580
    - WMIC.exe wmic cpu get name
      2640

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.15.156.172	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 20, 2023, 11:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 11:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 11:26 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 20, 2023, 11:26 a.m.			0	0
IsDebuggerPresent March 20, 2023, 11:26 a.m.			0	0
IsDebuggerPresent March 20, 2023, 11:26 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 20, 2023, 11:26 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ March 20, 2023, 11:26 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0943bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdf55295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdf52799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdffaf1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdffb76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdf548d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe1c0883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe1c0ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe1c0c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefe07a4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefe08d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe1c347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe1c122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe1c3542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefe08d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefe08d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772598da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefe08d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe1b3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefe060106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefe060182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 48226832 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 48232784 registers.r11: 48228592 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1973518421 registers.r13: 0	1
__exception__ March 20, 2023, 11:26 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0943bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdf55295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdf52799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdffaf1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdffb76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdf548d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe1c0883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe1c0ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe1c0c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefe07a4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefe08d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe1c347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe1c122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe1c3542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefe08d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefe08d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772598da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefe08d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe1b3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefe060106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefe060182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 50455648 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 50461600 registers.r11: 50457408 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1954520712 registers.r13: 0	1
__exception__ March 20, 2023, 11:26 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0943bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdf55295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdf52799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdffaf1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdffb76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdf548d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe1c0883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe1c0ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe1c0c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefe07a4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefe08d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe1c347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe1c122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe1c3542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefe08d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefe08d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772598da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefe08d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe1b3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefe060106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefe060182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 42722368 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 42728320 registers.r11: 42724128 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1979030058 registers.r13: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

March 20, 2023, 11:26 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0943bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdf55295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdf52799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdffaf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdffb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdf548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe1c0883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe1c0ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe1c0c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefe07a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefe08d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe1c347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe1c122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe1c3542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefe08d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefe08d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772598da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefe08d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe1b3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefe060106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefe060182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 48226832
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 48232784
registers.r11: 48228592
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1973518421
registers.r13: 0

__exception__

March 20, 2023, 11:26 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0943bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdf55295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdf52799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdffaf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdffb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdf548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe1c0883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe1c0ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe1c0c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefe07a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefe08d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe1c347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe1c122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe1c3542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefe08d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefe08d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772598da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefe08d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe1b3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefe060106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefe060182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 50455648
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 50461600
registers.r11: 50457408
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1954520712
registers.r13: 0

__exception__

March 20, 2023, 11:26 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0943bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdf55295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdf52799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdffaf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdffb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdf548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe1c0883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe1c0ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe1c0c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefe07a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefe08d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe1c347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe1c122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe1c3542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefe08d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefe08d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772598da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefe08d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe1b3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefe060106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefe060182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 42722368
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 42728320
registers.r11: 42724128
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1979030058
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 20, 2023, 11:26 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4219000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 20, 2023, 11:26 a.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4249000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 20, 2023, 11:26 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef41f9000 process_handle: 0xffffffffffffffff	1

Creates a shortcut to an executable file (50 out of 83 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ZeroAI_Click.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ZeroAI_Click.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click_image.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Database1.accdb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\msi2.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\My Documents.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test_doc.eml.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\office_2007.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\exe1.zip.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test.eml.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\KMS Activation.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\╗τ┐δ╣².txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ok2.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\Website.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ok1.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test (1).eml.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\docx2.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\password.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\테스트.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\sn.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\1234.zip.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\robot2.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\SendTo\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\readme.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시리얼넘버.lnk

Creates a suspicious process (5 events)

cmdline	cmd /C "wmic cpu get name"
cmdline	wmic os get Caption
cmdline	wmic path win32_VideoController get name
cmdline	cmd /C "wmic path win32_VideoController get name"
cmdline	wmic cpu get name

Potentially malicious URLs were found in the process memory dump (1 event)

url

http://i

Yara rule detected in process memory (19 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Virtual currency	rule	Virtual_currency_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Install itself for autorun at Windows startup	rule	Persistence

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	cmd /C "wmic cpu get name"
cmdline	wmic os get Caption
cmdline	wmic path win32_VideoController get name
cmdline	cmd /C "wmic path win32_VideoController get name"
cmdline	wmic cpu get name

Communicates with host for which no DNS query was performed (1 event)

host

45.15.156.172

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 20, 2023, 11:26 a.m.	process_identifier: 2136 region_size: 3522560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000d4	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: MZÿÿ@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd/ð"@L@À5` 05\|@5jj ¢+@.text$ `.rdataèÿ @@.dataà ++@À.idata\|05/@À.relocjj@5l/@B.symtab°5/B base_address: 0x0000000000400000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: <35(05 ¢+kernel32.dllWriteFileWriteConsoleWWaitForMultipleObjectsWaitForSingleObjectVirtualQueryVirtualFreeVirtualAllocSwitchToThreadSuspendThreadSetWaitableTimerSetUnhandledExceptionFilterSetProcessPriorityBoostSetEventSetErrorModeSetConsoleCtrlHandlerResumeThreadPostQueuedCompletionStatusLoadLibraryALoadLibraryWSetThreadContextGetThreadContextGetSystemInfoGetSystemDirectoryAGetStdHandleGetQueuedCompletionStatusExGetProcessAffinityMaskGetProcAddressGetEnvironmentStringsWGetConsoleModeFreeEnvironmentStringsWExitProcessDuplicateHandleCreateWaitableTimerExWCreateThreadCreateIoCompletionPortCreateFileACreateEventACloseHandleAddVectoredExceptionHandler605B05R05l050505 05°05Â05Ò05æ051515*15:15R15b151515 15´15È15Ø15î15þ1525625H25b25t252525®25È25Ø25ò25353535 base_address: 0x0000000000753000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: base_address: 0x000000000075b000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: MZÿÿ@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd/ð"@L@À5` 05\|@5jj ¢+@.text$ `.rdataèÿ @@.dataà ++@À.idata\|05/@À.relocjj@5l/@B.symtab°5/B base_address: 0x0000000000400000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1	0

Harvests credentials from local email clients (2 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 called NtSetContextThread to modify thread in remote process 2136
NtSetContextThread March 20, 2023, 11:26 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 4607040 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000d8 process_identifier: 2136	1	0	0

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\g8t0pe67.default-release\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 resumed a thread in remote process 2136
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2136	1	0	0

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress March 20, 2023, 11:26 a.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0
LdrGetProcedureAddress March 20, 2023, 11:26 a.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0

Executed a process and injected code into it, probably while unpacking (50 out of 97 events)

Time & API	Arguments	Status	Return
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4	1	0
NtSetContextThread March 20, 2023, 11:26 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 824634548032 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 4578560 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000d4 process_identifier: 2068	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtSetContextThread March 20, 2023, 11:26 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 824634548032 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 4578560 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000d8 process_identifier: 2068	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW March 20, 2023, 11:26 a.m.	thread_identifier: 2140 thread_handle: 0x00000000000000d8 process_identifier: 2136 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\St4_soft.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\St4_soft.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000000d4	1	1
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000d8	1	0
NtUnmapViewOfSection March 20, 2023, 11:26 a.m.	base_address: 0x0000000000400000 region_size: 4096 process_identifier: 2136 process_handle: 0x00000000000000d4	1	0
NtAllocateVirtualMemory March 20, 2023, 11:26 a.m.	process_identifier: 2136 region_size: 3522560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000d4	1	0
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: MZÿÿ@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd/ð"@L@À5` 05\|@5jj ¢+@.text$ `.rdataèÿ @@.dataà ++@À.idata\|05/@À.relocjj@5l/@B.symtab°5/B base_address: 0x0000000000400000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: base_address: 0x0000000000401000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000dc	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000dc suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000dc	1	0
NtResumeThread March 20, 2023, 11:26 a.m.	thread_handle: 0x00000000000000dc suspend_count: 1 process_identifier: 2068	1	0
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: base_address: 0x000000000057a000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: base_address: 0x00000000006ba000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: <35(05 ¢+kernel32.dllWriteFileWriteConsoleWWaitForMultipleObjectsWaitForSingleObjectVirtualQueryVirtualFreeVirtualAllocSwitchToThreadSuspendThreadSetWaitableTimerSetUnhandledExceptionFilterSetProcessPriorityBoostSetEventSetErrorModeSetConsoleCtrlHandlerResumeThreadPostQueuedCompletionStatusLoadLibraryALoadLibraryWSetThreadContextGetThreadContextGetSystemInfoGetSystemDirectoryAGetStdHandleGetQueuedCompletionStatusExGetProcessAffinityMaskGetProcAddressGetEnvironmentStringsWGetConsoleModeFreeEnvironmentStringsWExitProcessDuplicateHandleCreateWaitableTimerExWCreateThreadCreateIoCompletionPortCreateFileACreateEventACloseHandleAddVectoredExceptionHandler605B05R05l050505 05°05Â05Ò05æ051515*15:15R15b151515 15´15È15Ø15î15þ1525625H25b25t252525®25È25Ø25ò25353535 base_address: 0x0000000000753000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1
WriteProcessMemory March 20, 2023, 11:26 a.m.	buffer: base_address: 0x0000000000754000 process_identifier: 2136 process_handle: 0x00000000000000d4	1	1

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Coins.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.65983495
FireEye	Generic.mg.1431d295525534f2
McAfee	Artemis!1431D2955255
Malwarebytes	Malware.AI.4173724817
VIPRE	Trojan.GenericKD.65983495
Sangfor	Infostealer.Win64.Coins.Vujn
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanPSW:Win64/Coins.0dcc87ac
K7GW	Trojan ( 0059f0d11 )
K7AntiVirus	Trojan ( 0059f0d11 )
Arcabit	Trojan.Generic.D3EED407
Cyren	W64/ABRisk.ESIH-1159
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of WinGo/Agent.MO
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan-PSW.Win64.Coins.ks
BitDefender	Trojan.GenericKD.65983495
ViRobot	Trojan.Win.Z.Agent.7854592
Avast	Win64:PWSX-gen [Trj]
Tencent	Win64.Trojan-QQPass.QQRob.Mgil
Emsisoft	Trojan.GenericKD.65983495 (B)
TrendMicro	TrojanSpy.Win64.AURORASTEALER.YXDCQZ
McAfee-GW-Edition	BehavesLike.Win64.Trojan.wm
Webroot	W32.Trojan.Gen
Avira	TR/Redcap.ebkir
MAX	malware (ai score=84)
Antiy-AVL	Trojan[PSW]/Win64.Coins
Gridinsoft	Malware.Win64.Aurora.bot
Xcitium	Malware@#g0v5wkxmmnax
Microsoft	Trojan:Win32/Trickbot!ml
GData	Trojan.GenericKD.65983495
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R559668
ALYac	Trojan.GenericKD.65983495
Cylance	unsafe
TrendMicro-HouseCall	TrojanSpy.Win64.AURORASTEALER.YXDCQZ
Rising	Stealer.Coins!8.133E9 (CLOUD)
Ikarus	Trojan.WinGo.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Agent.MO!tr
AVG	Win64:PWSX-gen [Trj]

St4_soft.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All