Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 24, 2023, 9:10 a.m.	May 24, 2023, 9:12 a.m.

Size	681.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d29f7f2967179adb21e755ef4e2fb713`
SHA256	`1ce24db77fddb5022011d0407f93d6217b84ad6e18bf9be127bd8d2808423b73`
CRC32	`AFD77130`
ssdeep	`12288:CiTB2QwWASA359TWdc7qN+J8Z8OkJ744qs9dH:X5LaFWdj+6Z8OP4qs`
PDB Path	KjseonH.pdb
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals

ray.exe "C:\Users\test22\AppData\Local\Temp\ray.exe"
2660
- MSBuild.exe "{path}"
  2952

Name	Response	Post-Analysis Lookup
api.ipify.org	A 64.185.227.155 CNAME api4.ipify.org A 104.237.62.211 A 173.231.16.76	104.237.62.211

IP Address	Status	Action
104.237.62.211	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 104.237.62.211:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49165 104.237.62.211:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.ipify.org	f4:76:2d:2c:65:d1:15:be:19:a4:c5:e0:8d:eb:89:1a:b6:75:4a:54

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 24, 2023, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2023, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2023, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2023, 9:10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 24, 2023, 9:10 a.m.			0	0
IsDebuggerPresent May 24, 2023, 9:10 a.m.			0	0
IsDebuggerPresent May 24, 2023, 9:10 a.m.			0	0
IsDebuggerPresent May 24, 2023, 9:10 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey May 24, 2023, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064b9a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2023, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064b2a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2023, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064b2a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2023, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2023, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059d398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2023, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bb278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

KjseonH.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 24, 2023, 9:10 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 24, 2023, 9:10 a.m.	stacktrace: 0x87091c 0x870846 0x870653 0x870083 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x873c05 registers.esp: 4124376 registers.edi: 4124400 registers.eax: 0 registers.ebp: 4124412 registers.edx: 195 registers.ebx: 37680420 registers.esi: 37717208 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 24, 2023, 9:10 a.m.

stacktrace:

0x87091c
0x870846
0x870653
0x870083
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x873c05
registers.esp: 4124376
registers.edi: 4124400
registers.eax: 0
registers.ebp: 4124412
registers.edx: 195
registers.ebx: 37680420
registers.esi: 37717208
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://api.ipify.org/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 121 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fa22000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050301a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050301c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050a836e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050a8362 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073ec8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073eec process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073ef4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073ef8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073f00 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073f04 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073f08 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073f0c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073f14 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05073f18 process_handle: 0xffffffff		3221225550

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 24, 2023, 9:10 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 24, 2023, 9:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess May 24, 2023, 9:10 a.m.	status_code: 0xffffffff process_identifier: 2916 process_handle: 0x000002ac		0	0
NtTerminateProcess May 24, 2023, 9:10 a.m.	status_code: 0xffffffff process_identifier: 2916 process_handle: 0x000002ac	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2916 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2952 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a8	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 24, 2023, 9:10 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2660 manipulating memory of non-child process 2916
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2916 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL^Ñcà0î¨ @ @¨OÀFà H.textô `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2952 process_handle: 0x000002a8	1	1
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamedde931e2-2d30-421f-8574-75b7b25b3267.exe(LegalCopyright \|)OriginalFilenamedde931e2-2d30-421f-8574-75b7b25b3267.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2952 process_handle: 0x000002a8	1	1
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: ð8 base_address: 0x0042e000 process_identifier: 2952 process_handle: 0x000002a8	1	1
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2952 process_handle: 0x000002a8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL^Ñcà0î¨ @ @¨OÀFà H.textô `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2952 process_handle: 0x000002a8	1	1	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2660 called NtSetContextThread to modify thread in remote process 2952
NtSetContextThread May 24, 2023, 9:10 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368622 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2952	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2660 resumed a thread in remote process 2952
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2952	1	0	0

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2660	1	0
NtGetContextThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2660	1	0
CreateProcessInternalW May 24, 2023, 9:10 a.m.	thread_identifier: 2920 thread_handle: 0x000002a0 process_identifier: 2916 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtGetContextThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002a0	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2916 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496
CreateProcessInternalW May 24, 2023, 9:10 a.m.	thread_identifier: 2956 thread_handle: 0x000002ac process_identifier: 2952 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a8	1	1
NtGetContextThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002ac	1	0
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 2952 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a8	1	0
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL^Ñcà0î¨ @ @¨OÀFà H.textô `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2952 process_handle: 0x000002a8	1	1
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: base_address: 0x00402000 process_identifier: 2952 process_handle: 0x000002a8	1	1
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamedde931e2-2d30-421f-8574-75b7b25b3267.exe(LegalCopyright \|)OriginalFilenamedde931e2-2d30-421f-8574-75b7b25b3267.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2952 process_handle: 0x000002a8	1	1
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: ð8 base_address: 0x0042e000 process_identifier: 2952 process_handle: 0x000002a8	1	1
WriteProcessMemory May 24, 2023, 9:10 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2952 process_handle: 0x000002a8	1	1
NtSetContextThread May 24, 2023, 9:10 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368622 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2660	1	0
NtGetContextThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002c8	1	0
NtGetContextThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002c8	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2660	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x000004e4 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x0000071c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread May 24, 2023, 9:10 a.m.	thread_handle: 0x00000730 suspend_count: 1 process_identifier: 2952	1	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.67184295
McAfee	Artemis!D29F7F296717
Malwarebytes	Trojan.MalPack
Sangfor	Suspicious.Win32.Save.a
BitDefender	Trojan.GenericKD.67184295
CrowdStrike	win/malicious_confidence_100% (W)
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/MSIL_Agent.FLB.gen!Eldorado
Symantec	MSIL.Packed.30
ESET-NOD32	a variant of MSIL/Kryptik.AIWK
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:PWSX-gen [Trj]
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:ME1nt15Rno9qA3GEV+S+tw)
Emsisoft	Trojan.GenericKD.67184295 (B)
F-Secure	Heuristic.HEUR/AGEN.1323684
DrWeb	Trojan.PackedNET.2041
McAfee-GW-Edition	BehavesLike.Win32.Generic.jh
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.d29f7f2967179adb
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1323684
Antiy-AVL	Trojan/Win32.Sabsik
Arcabit	Trojan.Generic.D40126A7
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan-Stealer.MailPSW.2PRLBB@gen
Google	Detected
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZemsilF.36196.Qm0@aicPXXb
MAX	malware (ai score=84)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H07EN23
Ikarus	Trojan-Spy.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.ae6c02
DeepInstinct	MALICIOUS

ray.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All