Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 25, 2023, 5:35 p.m.	May 25, 2023, 5:40 p.m.

Size	638.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`35b9124a72b939bddecd642532c56d4f`
SHA256	`16cb75f304ead30d5c624f026272b3c6a3b533f087197c240fa92b1b69646045`
CRC32	`0AAE4A45`
ssdeep	`12288:x2iN/I3c8Vrao5qrEUt8R9XIBbAaz2a1P9mnwK7t8hXZ:x1hIFao5qrIRpIBx1DKGhp`
PDB Path	spRT.pdb
Yara	Win_Trojan_Formbook_Zero - Used Formbook Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

black.pif "C:\Users\test22\AppData\Local\Temp\black.pif"
912
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\HadYFjZ.exe"
  2676
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HadYFjZ" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A54.tmp"
  2728
- black.pif "C:\Users\test22\AppData\Local\Temp\black.pif"
  2820

Name	Response	Post-Analysis Lookup
api.ipify.org	A 64.185.227.155 CNAME api4.ipify.org A 104.237.62.211 A 173.231.16.76	173.231.16.76

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.252.179.22	Active	Moloch
64.185.227.155	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 64.185.227.155:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 185.252.179.22:80	2034579	ET MALWARE AgentTesla Communicating with CnC Server	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49170 64.185.227.155:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.ipify.org	f4:76:2d:2c:65:d1:15:be:19:a4:c5:e0:8d:eb:89:1a:b6:75:4a:54

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 5:36 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 25, 2023, 5:35 p.m.			0	0
IsDebuggerPresent May 25, 2023, 5:35 p.m.			0	0
IsDebuggerPresent May 25, 2023, 5:36 p.m.			0	0
IsDebuggerPresent May 25, 2023, 5:36 p.m.			0	0
IsDebuggerPresent May 25, 2023, 5:36 p.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\HadYFjZ console_handle: 0x00000053	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: .exe console_handle: 0x0000005f	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW May 25, 2023, 5:36 p.m.	buffer: SUCCESS: The scheduled task "Updates\HadYFjZ" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (49 events)

Time & API	Arguments	Status	Return
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f9f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062a0760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062a0760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062a0520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

spRT.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2023, 5:35 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 25, 2023, 5:36 p.m.	stacktrace: 0x560884 0x5607fb 0x56068d 0x56006f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72662652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7267264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72672e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72727610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x563b6d registers.esp: 3010312 registers.edi: 3010336 registers.eax: 0 registers.ebp: 3010348 registers.edx: 195 registers.ebx: 38125116 registers.esi: 38153668 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 25, 2023, 5:36 p.m.

stacktrace:

0x560884
0x5607fb
0x56068d
0x56006f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72662652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7267264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72672e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x727274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72727610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x727b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x727b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x727b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x727b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x563b6d
registers.esp: 3010312
registers.edi: 3010336
registers.eax: 0
registers.ebp: 3010348
registers.edx: 195
registers.ebx: 38125116
registers.esi: 38153668
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://185.252.179.22/black/inc/b7c6f3f48ef1c3.php

Performs some HTTP requests (2 events)

request	POST http://185.252.179.22/black/inc/b7c6f3f48ef1c3.php
request	GET https://api.ipify.org/

Sends data using the HTTP POST Method (1 event)

request

POST http://185.252.179.22/black/inc/b7c6f3f48ef1c3.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 233 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:35 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00873000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00874000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00875000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00876000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00877000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00878000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00879000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08df1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08df7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 2676 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd42000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (10 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\HadYFjZ.exe"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\HadYFjZ.exe"
cmdline	schtasks.exe /Create /TN "Updates\HadYFjZ" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A54.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HadYFjZ" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A54.tmp"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 25, 2023, 5:36 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\HadYFjZ.exe" filepath: powershell	1	1	0
ShellExecuteExW May 25, 2023, 5:36 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\HadYFjZ" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A54.tmp" filepath: schtasks.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 25, 2023, 5:36 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009f000', u'virtual_address': u'0x00002000', u'entropy': 7.697551959663747, u'name': u'.text', u'virtual_size': u'0x0009eef8'}

entropy

7.69755195966

description

A section with a high entropy has been found

entropy

0.996865203762

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 25, 2023, 5:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 25, 2023, 5:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\HadYFjZ" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A54.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HadYFjZ" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A54.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

185.252.179.22

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 2820 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc	1	0	0

A process attempted to delay the analysis task. (1 event)

description

black.pif tried to sleep 2728274 seconds, actually delayed analysis time by 2728274 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;dbdà0Þ @ @OÀFà H.textä `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2820 process_handle: 0x000003cc	1	1
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName10804ac6-2cb6-436e-85c5-c4f417e955aa.exe(LegalCopyright \|)OriginalFilename10804ac6-2cb6-436e-85c5-c4f417e955aa.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2820 process_handle: 0x000003cc	1	1
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: à= base_address: 0x0042e000 process_identifier: 2820 process_handle: 0x000003cc	1	1
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2820 process_handle: 0x000003cc	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;dbdà0Þ @ @OÀFà H.textä `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2820 process_handle: 0x000003cc	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 25, 2023, 5:36 p.m.	thread_identifier: 0 callback_function: 0x006e0872 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	1442009	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 912 called NtSetContextThread to modify thread in remote process 2820
NtSetContextThread May 25, 2023, 5:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4369886 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000368 process_identifier: 2820	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 912 resumed a thread in remote process 2820
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2820	1	0	0

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
NtResumeThread May 25, 2023, 5:35 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 912	1	0
NtResumeThread May 25, 2023, 5:35 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 912	1	0
NtResumeThread May 25, 2023, 5:35 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 912	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 912	1	0
CreateProcessInternalW May 25, 2023, 5:36 p.m.	thread_identifier: 2680 thread_handle: 0x000003b4 process_identifier: 2676 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\HadYFjZ.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
CreateProcessInternalW May 25, 2023, 5:36 p.m.	thread_identifier: 2732 thread_handle: 0x00000374 process_identifier: 2728 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HadYFjZ" /XML "C:\Users\test22\AppData\Local\Temp\tmp8A54.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
CreateProcessInternalW May 25, 2023, 5:36 p.m.	thread_identifier: 2824 thread_handle: 0x00000368 process_identifier: 2820 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\black.pif track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\black.pif stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003cc	1	1
NtGetContextThread May 25, 2023, 5:36 p.m.	thread_handle: 0x00000368	1	0
NtAllocateVirtualMemory May 25, 2023, 5:36 p.m.	process_identifier: 2820 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc	1	0
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;dbdà0Þ @ @OÀFà H.textä `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2820 process_handle: 0x000003cc	1	1
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: base_address: 0x00402000 process_identifier: 2820 process_handle: 0x000003cc	1	1
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName10804ac6-2cb6-436e-85c5-c4f417e955aa.exe(LegalCopyright \|)OriginalFilename10804ac6-2cb6-436e-85c5-c4f417e955aa.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2820 process_handle: 0x000003cc	1	1
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: à= base_address: 0x0042e000 process_identifier: 2820 process_handle: 0x000003cc	1	1
WriteProcessMemory May 25, 2023, 5:36 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2820 process_handle: 0x000003cc	1	1
NtSetContextThread May 25, 2023, 5:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4369886 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000368 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 2676	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 2676	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x00000450 suspend_count: 1 process_identifier: 2676	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x000004b0 suspend_count: 1 process_identifier: 2676	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 25, 2023, 5:36 p.m.	thread_handle: 0x000004d8 suspend_count: 1 process_identifier: 2820	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.99708
FireEye	Trojan.GenericKDZ.99708
McAfee	Artemis!35B9124A72B9
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
Arcabit	Trojan.Lazy.D546CC
Cyren	W32/MSIL_Kryptik.JJR.gen!Eldorado
Symantec	Scr.Malcode!gdn34
ESET-NOD32	a variant of MSIL/Kryptik.AIWO
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.GenericKDZ.99708
Avast	Win32:PWSX-gen [Trj]
Tencent	Msil.Trojan.Taskun.Mjgl
DrWeb	Trojan.Siggen20.56026
VIPRE	Gen:Variant.Lazy.345804
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Trapmine	malicious.moderate.ml.score
Emsisoft	Trojan.GenericKDZ.99708 (B)
SentinelOne	Static AI - Suspicious PE
Microsoft	Trojan:MSIL/AgentTesla.ABXG!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
GData	Trojan.GenericKDZ.99708
Google	Detected
AhnLab-V3	Trojan/Win.PWSX-gen.C5432220
MAX	malware (ai score=82)
Malwarebytes	Trojan.MalPack.PNG
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:jMGMOMGs2LLI2npWDkGtfg)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.GIHO!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

black.pif

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All