Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2023, 9:32 a.m.	May 18, 2023, 9:36 a.m.

Size	425.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2ee458e3d3211bcf3b5862cae82409c1`
SHA256	`e7aa250ccb3e1236060012ca38205e1eb5b44843531e26ce80d4a70375708224`
CRC32	`A73EE5EC`
ssdeep	`12288:Q7HII000BdTsQMhFfGIxEII1QPc7vO3oxFYG/x:BrBVszh5GIx2icbxxFYG/x`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

RFQ.exe "C:\Users\test22\AppData\Local\Temp\RFQ.exe"
2548
- Powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\RFQ.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svc.exe.exe'
  2664
- RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2744

Name	Response	Post-Analysis Lookup
api.telegram.org	A 149.154.167.220	149.154.167.220
api.ipify.org	A 64.185.227.155 CNAME api4.ipify.org A 104.237.62.211 A 173.231.16.76	64.185.227.155

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
173.231.16.76	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 149.154.167.220:443 -> 192.168.56.101:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49169 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49166 -> 173.231.16.76:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49166 173.231.16.76:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.ipify.org	f4:76:2d:2c:65:d1:15:be:19:a4:c5:e0:8d:eb:89:1a:b6:75:4a:54

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 18, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2023, 9:32 a.m.			0	0
IsDebuggerPresent May 18, 2023, 9:32 a.m.			0	0
IsDebuggerPresent May 18, 2023, 9:32 a.m.			0	0
IsDebuggerPresent May 18, 2023, 9:32 a.m.			0	0
IsDebuggerPresent May 18, 2023, 9:32 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 51 events)

Time & API	Arguments	Status	Return
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bb768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bb7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bb7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bb7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bb7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bb7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f4c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f53a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f53a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f53a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f53a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f53a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f53a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f4be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f47e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f51a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00602360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00602360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2023, 9:32 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 18, 2023, 9:33 a.m.	stacktrace: 0x6e0904 0x6e0831 0x6e0672 0x6e0074 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6e3bed registers.esp: 2159160 registers.edi: 2159184 registers.eax: 0 registers.ebp: 2159196 registers.edx: 195 registers.ebx: 42523924 registers.esi: 42552472 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 18, 2023, 9:33 a.m.

stacktrace:

0x6e0904
0x6e0831
0x6e0672
0x6e0074
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6e3bed
registers.esp: 2159160
registers.edi: 2159184
registers.eax: 0
registers.ebp: 2159196
registers.edx: 195
registers.ebx: 42523924
registers.esi: 42552472
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://api.ipify.org/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 231 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f1c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f1c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (10 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW May 18, 2023, 9:32 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\RFQ.exe filepath: C:\Users\test22\AppData\Local\Temp\RFQ.exe	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\RFQ.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svc.exe.exe'

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM Win32_Processor
wmi	select * from Win32_OperatingSystem

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 18, 2023, 9:32 a.m.	thread_identifier: 2668 thread_handle: 0x0000023c process_identifier: 2664 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\RFQ.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svc.exe.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000234	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 18, 2023, 9:33 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00065800', u'virtual_address': u'0x00002000', u'entropy': 7.54243893052692, u'name': u'.text', u'virtual_size': u'0x000657b4'}

entropy

7.54243893053

description

A section with a high entropy has been found

entropy

0.955294117647

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 18, 2023, 9:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 18, 2023, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 95216aaa478028ab01b283a78d7ddc3e9861783f
buffer	Buffer with sha1: f3c32dfaa1bd4eea360d8c25abc4b8e50049ac49
buffer	Buffer with sha1: f0a91f144e6f1616ed80f42815b79e0ba92d6e23

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2744 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 18, 2023, 9:33 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

RegAsm.exe tried to sleep 2728223 seconds, actually delayed analysis time by 2728223 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fOLFRQq

reg_value

C:\Users\test22\AppData\Roaming\fOLFRQq\fOLFRQq.exe

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELx8dà0þ´ @ @¬´OÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000250	1	1
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamec46a0699-d7ba-42cc-b530-9ae8abb85ed8.exe(LegalCopyright \|)OriginalFilenamec46a0699-d7ba-42cc-b530-9ae8abb85ed8.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2744 process_handle: 0x00000250	1	1
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: °5 base_address: 0x0042e000 process_identifier: 2744 process_handle: 0x00000250	1	1
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2744 process_handle: 0x00000250	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELx8dà0þ´ @ @¬´OÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000250	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 18, 2023, 9:33 a.m.	thread_identifier: 0 callback_function: 0x0070080a hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	917945	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

FireEye	Generic.mg.2ee458e3d3211bcf
Malwarebytes	PUP.Optional.BundleInstaller
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/MSIL_Kryptik.JIT.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	VHO:Backdoor.MSIL.Remcos.gen
Sophos	ML/PE-A
F-Secure	Heuristic.HEUR/AGEN.1306351
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1306351
ZoneAlarm	VHO:Backdoor.MSIL.Remcos.gen
Google	Detected
Ikarus	Trojan.Agent
MaxSecure	Trojan.Malware.300983.susgen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (D)

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2744
NtSetContextThread May 18, 2023, 9:32 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4371710 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000024c process_identifier: 2744	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\fOLFRQq\fOLFRQq.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2744
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 2744	1	0	0

Creates a suspicious Powershell process (1 event)

option

-executionpolicy bypass

value

Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW May 18, 2023, 9:32 a.m.	thread_identifier: 2668 thread_handle: 0x0000023c process_identifier: 2664 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\RFQ.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svc.exe.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000234	1	1
CreateProcessInternalW May 18, 2023, 9:32 a.m.	thread_identifier: 2748 thread_handle: 0x0000024c process_identifier: 2744 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000250	1	1
NtGetContextThread May 18, 2023, 9:32 a.m.	thread_handle: 0x0000024c	1	0
NtAllocateVirtualMemory May 18, 2023, 9:32 a.m.	process_identifier: 2744 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250	1	0
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELx8dà0þ´ @ @¬´OÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2744 process_handle: 0x00000250	1	1
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: base_address: 0x00402000 process_identifier: 2744 process_handle: 0x00000250	1	1
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamec46a0699-d7ba-42cc-b530-9ae8abb85ed8.exe(LegalCopyright \|)OriginalFilenamec46a0699-d7ba-42cc-b530-9ae8abb85ed8.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2744 process_handle: 0x00000250	1	1
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: °5 base_address: 0x0042e000 process_identifier: 2744 process_handle: 0x00000250	1	1
WriteProcessMemory May 18, 2023, 9:32 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2744 process_handle: 0x00000250	1	1
NtSetContextThread May 18, 2023, 9:32 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4371710 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000024c process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2664	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2664	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2664	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2664	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x000001f0 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:32 a.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x00000530 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000075c suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x00000774 suspend_count: 1 process_identifier: 2744	1	0

RFQ.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All