Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 20, 2023, 5:06 p.m.	July 20, 2023, 5:10 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7f4e427936de0eecd46ce643bf5c0d36`
SHA256	`d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5`
CRC32	`BF66F688`
ssdeep	`24576:Lqy2xGQm4hQgFyf6eQoez4SBylteu8Kd6mNIlQtZT2/jvemgB4toFv0lk4HcWNCI:NMy8Kd6mOatZT2/jJ0wovQfHcWNCI`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

arc.exe "C:\Users\test22\AppData\Local\Temp\arc.exe"
2552
- loader_250260_878155_1724_17072023.exe "C:\Users\test22\AppData\Local\Temp\loader_250260_878155_1724_17072023.exe"
  2652
- arc.exe C:\Users\test22\AppData\Local\Temp\arc.exe
  2704

Name	Response	Post-Analysis Lookup
lisfwhite.ch2eck.yaheoo.com
listwhfite.check3.yaho1o.com

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
185.212.47.65	Active	Moloch
45.155.249.172	Active	Moloch
78.138.9.136	Active	Moloch
79.132.130.230	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 185.212.47.65:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 185.212.47.65:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 78.138.9.136:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 78.138.9.136:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 79.132.130.230:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 79.132.130.230:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 185.212.47.65:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 185.212.47.65:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 79.132.130.230:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 79.132.130.230:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 45.155.249.172:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 45.155.249.172:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 45.155.249.172:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 45.155.249.172:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 79.132.130.230:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 79.132.130.230:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 79.132.130.230:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 79.132.130.230:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (34 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:07 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:08 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:07 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2023, 5:08 p.m.	computer_name:		0
GetComputerNameW July 20, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 20, 2023, 5:06 p.m.			0	0
IsDebuggerPresent July 20, 2023, 5:06 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (5 events)

Time & API	Arguments	Status	Return
CryptExportKey July 20, 2023, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046b428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey July 20, 2023, 5:06 p.m.	buffer: f 9ZåºþÔ¤5Ò P[û«¥@g*ÞãO crypto_handle: 0x0046b428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey July 20, 2023, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046b528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2023, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046b528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 20, 2023, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046b4e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 20, 2023, 5:06 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.212.47.65/zerotohero/CqWrYX36XwWQ_2BrhS/mzLEl4vFf/xc4vWmEcWAJ9YFRyVKFO/ttNPV1ulfC_2FpRAGEU/1GwPDdK1QdBxInNimrN51p/Z3ahmcuTfYBo7/Kaj8dPd2/9mf_2B4_2B44IFDmcnO_2Ft/cbq2K326U1/jZ5r_2FXzmP3hUR7N/1DixZEqKIs7T/V2_2B7W4R8n/ojByzLKN1qA5e2/xatnfWr5qeXVvqV9Ka_2B/7CLEyBcLLr3EDHwN/3rLPjXlm7dduxz8/TEh4z8Yn6bC8oMLEXG/lAd_2FiD0/mxl7zdJF6HzdACUwM/uWM8.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://185.212.47.65/zerotohero/FgCIjqtD1C/AwnB0CDuorKMa8ksR/aEjpUJvisd_2/Fyx44HzwuYS/aidnq9yd8pDT0T/NgYDWyI2Ai5P5qt99QXPi/jA4E2_2Be_2Fc_2B/bWcqxXdiMKAL8KE/sbgN6r4ltId_2FpN0E/aiXKEXHHY/JjdAPnfNd6AGi1C5E1Wt/28f2aD9M9R2djADKBs7/7fthFgqmYQikGHLfwk_2BJ/LuUAzChbRGzy5/njcVwo6H/TC5tR2nJz_2FwX_2B29eAaL/7KU1y1ngiw/OR811oN4ZmZuRfEi1/bMuIgBALfI6hYvF/gvDV.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://45.155.249.172/zerotohero/_2F9FQStc6JLbSb0Aim/PmWWdoN5TseiAoeGXSCnHb/f3siUJm7sSMxf/G9bKoZCp/ToUTRIpO5loaw7dvIdLqAPz/Y_2FdMlaiS/sRpdSgA1rXRn2REvx/OLgHjV7rVkqr/hqKS0oziEAU/o8RF8RZV1PhOYn/3_2FI28IdRnnl1Pa_2BsI/QMarYG2EhXrJaYdB/mioJ96K9ci_2BTK/nI2nf8CFXQPE62qv02/Tw141ih4C/rGxEkCJU_2FoY51LZTFZ/JDcDUjJ1Nfm3nZTbACQ/t335aBNiwUI0fSDh/WyzuLFz.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://45.155.249.172/zerotohero/NQ4F2P317cVzNCxLOhg1F/8zo2PkPH0JNTkVQD/5KFUhh5g_2BqmC_/2F12sKc7QNCiIt8Y9Q/0gkTj71es/KP_2B3LuudW8CcWsZxc0/DZrsp9UbGxLuWnZHnIL/gpU7b2Ia1zgtxAn_2FLHVS/_2FqgZrYisxlR/kVcu_2BN/3o_2BJNwhL0UcCmviyxJN_2/FJdZ77WQgG/SpaJfTloxBssHKkJS/a_2FL7B4Vl6U/2EqyTD0mKiB/kh_2FocONHpHdL/5ewrs5O8oDLjrCJpWwXFV/RZffz9rgwAJcvl3D/uvmJZnLesLqNZl7/rdtQ8vt4wMbESjvt_/2FxX.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://78.138.9.136/zerotohero/o3Qw3IIKAJX3J/UqAt8bW_/2BUZ0UoeiySDNS6_2FUW2wA/3hFn7Sl4kN/ftoKvV5fG4Hlj1TSU/x9EtzVflg8DH/M2gdAUaDeoM/xHn0zpZ5tqgQxS/UIfCGC7fdX4cy165VPzjU/qFkYEqLUusHWmxl1/03Oe4374cOZpI_2/BpUlT2zKKRN2ct1ni8/Kyaip_2FL/RdYQJnJxCQC9LMM9KItd/rGuDDOExo8f1GlIaTy_/2FY2axb2jutNFLTc8FH2gt/2NCOwCjYICOIB/thzeHDY5/OMSNh7TmOBdBV10AHn/U.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://78.138.9.136/zerotohero/tVgvWq4_2/BvU_2B3JHn6rBZN_2F78/kvXaeOFxBvKlMcTqcE9/hW9zLHBjbqaNPH3AUetC7h/3jB4YK94wFnF_/2FLCTLTl/OQOh_2BEMlq9kORiGRX3UGM/4XDgo2LSPA/QU2PjXw5cS1FKeqzx/NSRV7tkllKkn/06MFyAN39Zz/4Vhliec7utGGCr/lxOgXn9vBfQjzB42cyR6M/jOG9REVRM2tybo10/JzR8Z2liDNL0xrJ/wCNgVlEXFNrLtvbD23/Ci_2BRGWl/fc1PXbvpNet_2F5vOd3J/14nskWbz3d_2F/UU9f.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://79.132.130.230/zerotohero/h2pES8vvQ9Dvo3V/hlcSi0l1F9v5LWGLOU/lNLO_2Bf9/1ZUnyh2KkRK_2BK_2FkT/B1qvcsMLsENIIKY07e_/2BBJkDPX88nUBOmNkxpsAL/daYERlvY44cCV/bb5JGPTp/wxiwu6MqPi13_2BBhBKtdcy/2XJp_2Fubp/UWOfmfkpHbfwbD_2F/AnrdfTwDxB49/3p5ljWW0mVB/kNUkbjfVuy_2FS/gZnIixUlWrtIET_2B6yPH/BGzrFLgAm1zI1rE5/NqlChuR_2B6Px8F/XpdH_2FRUoOGbXz3eG/hUrQfJr34qTs7V_2FIaI_2/F.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://79.132.130.230/zerotohero/Y_2FSqUCXDqJ0i_2FAiCDUu/MYNX7B7heM/GrHKHAHhAJfZZnZLY/ZUN96plx1WtO/Yh5YpB2GQS9/ytHVCw6X6Am2me/_2BZa2gFxOKYo42X_2Bis/uHG_2Bh_2FCRyy1j/HJA3PTfuKn2mM_2/Bo6tNqNWvmwJZgUS3_/2F_2B4Q6T/YQUg16lQ1UYirz_2F3Td/dSpdyVyoXNK9gGKMgaY/pdYE5MFY9TQzkXVlCy9KAT/iuujSOGfSd9zm/l99IR7CG/RCtkfs_2FtsvJqfOZpahaQ8/lJE8rw9jHb/81KiC8i2/EDCzwKNK/_2FgN.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://79.132.130.230/zerotohero/J_2FsnJcuBz7ISKZ/7yjFKK2ZjJUJF0c/4lQRo6T1DnNr4kYV5G/lapFedOu2/PSf_2BBx3S0scfjDFFdp/sbBPjxI0AXVwXA1O_2F/w5gYNLVyDOldLOd_2FoAsp/ofci1W_2BGxqp/dSahW4x5/SD_2Bvv0dL0_2FkhXU6ldx5/83ouXZGs4J/yNzEw7V31EiOeqpr8/3s6ziH104BCw/iJDCp7r6yvM/ecSlA9BwncFOHW/KL4f0g4TikWiKFj6x01xn/JXpInaNgsXT_2Bza/fDi4X844IybUwY7/J9aoupFGv_2Bxj8SiO/adKKLFnpEvrIf2_/2FG1kLm.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://79.132.130.230/zerotohero/mdPSIyIkqr1RaBA606yd/7lOoa9x_2F0JudJY5_2/BoI9NqeqO3W7h_2BJycshU/am8kAnvTovBLt/6GFuxlV8/Gzl_2F18zkUa4KcCypu43ZE/2IY6Vqza0M/x81isIVB6eMI72ihh/aimsSr7RxjsG/aALRWJb8SZ2/lM03TOYfbuRZmL/Tm_2FAfgkdO6imvN8FOYF/WiFzR0dhr9iymNe3/yB_2FCDb_2B_2Bx/1suMDMDn8T1iBqi7RM/677p_2Fx4/VnzhkvEcTCuWzJhcmuUD/gu0hujFj_2BFX9yMt2M/iEEoucXiRQ8gFz_2F0LbLq/Ufc4_2Fgi/XgDDD.asi

Performs some HTTP requests (10 events)

request	GET http://185.212.47.65/zerotohero/CqWrYX36XwWQ_2BrhS/mzLEl4vFf/xc4vWmEcWAJ9YFRyVKFO/ttNPV1ulfC_2FpRAGEU/1GwPDdK1QdBxInNimrN51p/Z3ahmcuTfYBo7/Kaj8dPd2/9mf_2B4_2B44IFDmcnO_2Ft/cbq2K326U1/jZ5r_2FXzmP3hUR7N/1DixZEqKIs7T/V2_2B7W4R8n/ojByzLKN1qA5e2/xatnfWr5qeXVvqV9Ka_2B/7CLEyBcLLr3EDHwN/3rLPjXlm7dduxz8/TEh4z8Yn6bC8oMLEXG/lAd_2FiD0/mxl7zdJF6HzdACUwM/uWM8.asi
request	GET http://185.212.47.65/zerotohero/FgCIjqtD1C/AwnB0CDuorKMa8ksR/aEjpUJvisd_2/Fyx44HzwuYS/aidnq9yd8pDT0T/NgYDWyI2Ai5P5qt99QXPi/jA4E2_2Be_2Fc_2B/bWcqxXdiMKAL8KE/sbgN6r4ltId_2FpN0E/aiXKEXHHY/JjdAPnfNd6AGi1C5E1Wt/28f2aD9M9R2djADKBs7/7fthFgqmYQikGHLfwk_2BJ/LuUAzChbRGzy5/njcVwo6H/TC5tR2nJz_2FwX_2B29eAaL/7KU1y1ngiw/OR811oN4ZmZuRfEi1/bMuIgBALfI6hYvF/gvDV.asi
request	GET http://45.155.249.172/zerotohero/_2F9FQStc6JLbSb0Aim/PmWWdoN5TseiAoeGXSCnHb/f3siUJm7sSMxf/G9bKoZCp/ToUTRIpO5loaw7dvIdLqAPz/Y_2FdMlaiS/sRpdSgA1rXRn2REvx/OLgHjV7rVkqr/hqKS0oziEAU/o8RF8RZV1PhOYn/3_2FI28IdRnnl1Pa_2BsI/QMarYG2EhXrJaYdB/mioJ96K9ci_2BTK/nI2nf8CFXQPE62qv02/Tw141ih4C/rGxEkCJU_2FoY51LZTFZ/JDcDUjJ1Nfm3nZTbACQ/t335aBNiwUI0fSDh/WyzuLFz.asi
request	GET http://45.155.249.172/zerotohero/NQ4F2P317cVzNCxLOhg1F/8zo2PkPH0JNTkVQD/5KFUhh5g_2BqmC_/2F12sKc7QNCiIt8Y9Q/0gkTj71es/KP_2B3LuudW8CcWsZxc0/DZrsp9UbGxLuWnZHnIL/gpU7b2Ia1zgtxAn_2FLHVS/_2FqgZrYisxlR/kVcu_2BN/3o_2BJNwhL0UcCmviyxJN_2/FJdZ77WQgG/SpaJfTloxBssHKkJS/a_2FL7B4Vl6U/2EqyTD0mKiB/kh_2FocONHpHdL/5ewrs5O8oDLjrCJpWwXFV/RZffz9rgwAJcvl3D/uvmJZnLesLqNZl7/rdtQ8vt4wMbESjvt_/2FxX.asi
request	GET http://78.138.9.136/zerotohero/o3Qw3IIKAJX3J/UqAt8bW_/2BUZ0UoeiySDNS6_2FUW2wA/3hFn7Sl4kN/ftoKvV5fG4Hlj1TSU/x9EtzVflg8DH/M2gdAUaDeoM/xHn0zpZ5tqgQxS/UIfCGC7fdX4cy165VPzjU/qFkYEqLUusHWmxl1/03Oe4374cOZpI_2/BpUlT2zKKRN2ct1ni8/Kyaip_2FL/RdYQJnJxCQC9LMM9KItd/rGuDDOExo8f1GlIaTy_/2FY2axb2jutNFLTc8FH2gt/2NCOwCjYICOIB/thzeHDY5/OMSNh7TmOBdBV10AHn/U.asi
request	GET http://78.138.9.136/zerotohero/tVgvWq4_2/BvU_2B3JHn6rBZN_2F78/kvXaeOFxBvKlMcTqcE9/hW9zLHBjbqaNPH3AUetC7h/3jB4YK94wFnF_/2FLCTLTl/OQOh_2BEMlq9kORiGRX3UGM/4XDgo2LSPA/QU2PjXw5cS1FKeqzx/NSRV7tkllKkn/06MFyAN39Zz/4Vhliec7utGGCr/lxOgXn9vBfQjzB42cyR6M/jOG9REVRM2tybo10/JzR8Z2liDNL0xrJ/wCNgVlEXFNrLtvbD23/Ci_2BRGWl/fc1PXbvpNet_2F5vOd3J/14nskWbz3d_2F/UU9f.asi
request	GET http://79.132.130.230/zerotohero/h2pES8vvQ9Dvo3V/hlcSi0l1F9v5LWGLOU/lNLO_2Bf9/1ZUnyh2KkRK_2BK_2FkT/B1qvcsMLsENIIKY07e_/2BBJkDPX88nUBOmNkxpsAL/daYERlvY44cCV/bb5JGPTp/wxiwu6MqPi13_2BBhBKtdcy/2XJp_2Fubp/UWOfmfkpHbfwbD_2F/AnrdfTwDxB49/3p5ljWW0mVB/kNUkbjfVuy_2FS/gZnIixUlWrtIET_2B6yPH/BGzrFLgAm1zI1rE5/NqlChuR_2B6Px8F/XpdH_2FRUoOGbXz3eG/hUrQfJr34qTs7V_2FIaI_2/F.asi
request	GET http://79.132.130.230/zerotohero/Y_2FSqUCXDqJ0i_2FAiCDUu/MYNX7B7heM/GrHKHAHhAJfZZnZLY/ZUN96plx1WtO/Yh5YpB2GQS9/ytHVCw6X6Am2me/_2BZa2gFxOKYo42X_2Bis/uHG_2Bh_2FCRyy1j/HJA3PTfuKn2mM_2/Bo6tNqNWvmwJZgUS3_/2F_2B4Q6T/YQUg16lQ1UYirz_2F3Td/dSpdyVyoXNK9gGKMgaY/pdYE5MFY9TQzkXVlCy9KAT/iuujSOGfSd9zm/l99IR7CG/RCtkfs_2FtsvJqfOZpahaQ8/lJE8rw9jHb/81KiC8i2/EDCzwKNK/_2FgN.asi
request	GET http://79.132.130.230/zerotohero/J_2FsnJcuBz7ISKZ/7yjFKK2ZjJUJF0c/4lQRo6T1DnNr4kYV5G/lapFedOu2/PSf_2BBx3S0scfjDFFdp/sbBPjxI0AXVwXA1O_2F/w5gYNLVyDOldLOd_2FoAsp/ofci1W_2BGxqp/dSahW4x5/SD_2Bvv0dL0_2FkhXU6ldx5/83ouXZGs4J/yNzEw7V31EiOeqpr8/3s6ziH104BCw/iJDCp7r6yvM/ecSlA9BwncFOHW/KL4f0g4TikWiKFj6x01xn/JXpInaNgsXT_2Bza/fDi4X844IybUwY7/J9aoupFGv_2Bxj8SiO/adKKLFnpEvrIf2_/2FG1kLm.asi
request	GET http://79.132.130.230/zerotohero/mdPSIyIkqr1RaBA606yd/7lOoa9x_2F0JudJY5_2/BoI9NqeqO3W7h_2BJycshU/am8kAnvTovBLt/6GFuxlV8/Gzl_2F18zkUa4KcCypu43ZE/2IY6Vqza0M/x81isIVB6eMI72ihh/aimsSr7RxjsG/aALRWJb8SZ2/lM03TOYfbuRZmL/Tm_2FAfgkdO6imvN8FOYF/WiFzR0dhr9iymNe3/yB_2FCDb_2B_2Bx/1suMDMDn8T1iBqi7RM/677p_2Fx4/VnzhkvEcTCuWzJhcmuUD/gu0hujFj_2BFX9yMt2M/iEEoucXiRQ8gFz_2F0LbLq/Ufc4_2Fgi/XgDDD.asi

Allocates read-write-execute memory (usually to unpack itself) (50 out of 97 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74004000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\loader_250260_878155_1724_17072023.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\loader_250260_878155_1724_17072023.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\loader_250260_878155_1724_17072023.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0018aa00', u'virtual_address': u'0x00002000', u'entropy': 7.2428246962325264, u'name': u'.text', u'virtual_size': u'0x0018a864'}

entropy

7.24282469623

description

A section with a high entropy has been found

entropy

0.998734577665

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 20, 2023, 5:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: fe6c309183675874ed8f4acae3f24890fed44a11

Communicates with host for which no DNS query was performed (5 events)

host	117.18.232.200
host	185.212.47.65
host	45.155.249.172
host	78.138.9.136
host	79.132.130.230

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2704 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 20, 2023, 5:06 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Disables proxy possibly for traffic interception (2 events)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 20, 2023, 5:06 p.m.	key_handle: 0x00000308 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0
RegSetValueExA July 20, 2023, 5:06 p.m.	key_handle: 0x000002b4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Y+çÿxçÿxçÿxlxçÿxçþxQçÿxÞè¢xçÿxvxçÿxkxçÿxnxçÿxRichçÿxPEL°Ã¯dà ¿0@ðè0P`pä0¨.textR `.rdataÀ0@@.data@@À.bssßP@À.rsrc`"@@.relocpr$@@JJ!©aïÙJr° base_address: 0x00400000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: n4B2V2h2222´2¼2Ê2Ö2æ2ú2342&222(444X4H4B3P3`3t333ª3º3Ì3Ü3ö384433à1´4d·È n;¬0Ù&AÜvôQkkXa²M<qP ¸íDðè£ÖÖ³aË°ÂdÔÒÓxâ ò½½Ì1ü10@13081¦40n4B2V2h2222´2¼2Ê2Ö2æ2ú2342&222(444X4H4B3P3`3t333ª3º3Ì3Ü3ö384433à1´40NtQuerySystemInformationntdll.dllExitProcessGetCommandLineWÎHeapDestroyÍHeapCreateGetModuleHandleAGetLocaleInfoAnGetSystemDefaultUILanguageËHeapAllocÏHeapFreeùWaitForSingleObject²SleepExitThreadNlstrlenWGetLastErrorâVerLanguageNameAàGetExitCodeThreadRCloseHandleKERNEL32.dllHmemset_snwprintfOpenProcessCreateEventAGetLongPathNameW¢GetVersionÁGetCurrentProcessIdEGetProcAddress<LoadLibraryAïVirtualProtectWMapViewOfFileyGetSystemTimeAsFileTimeCreateFileMappingWµSleepExÁTerminateThreadsSetLastError¯QueueUserAPCµCreateThreadGetModuleFileNameWqConvertStringSecurityDescriptorToSecurityDescriptorAADVAPI32.dllþ_aulldiv base_address: 0x00403000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: base_address: 0x00404000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: 5ÿãß<øÑó)FµéÈu µ»Ð>u%¨ÍËMs.n Ô§¹UpFhÌµ¹a}ÒX¡'ÅK®ÅF6ÛU¹Q)ûBVB1«Ó¹ÚJiBSªÆ´©FÂá7.éìÂ¾Ì bÖ:½Åä¯òZïTü½7÷IØè3ÓtÍäwJ;ÈpoøäwF; AqÔg¥rp[ÚZ sj!pãqØ3pãqýø&ÕUà÷è4ÎóÊè%:"7ÅÚæ.>¡?âãF 6¯?îðÒé0¯UîùÒõ1¯UîìÒúË®;eBA æ7iI: rÔªESEbÜ·PSzbÚ¢ÖJ,jnÝÇê51AàòÄÿ :Eïòã÷QòøºÐ»ÆúöGÙ°Ä·Tñ<Ù¬R®wç:EîÑ=éÚ6 ñÍ@»é$imêÎS¼ô$iZßêAÅâõQàòx» ,oàÇMþ4]sÊ¾_5+©¸ó_m u®å=uqªÛQ ¨Õ@´â\|bÂ6¦öéxh¾ÿ1sîèÀÆô)Oñ\|¼¢2DÍ§ÄoÍ£Är.Mü»a0âÏ¨¯)éHòÿÓKóTæµ¦ IC@Ó°ä z@;ßÕºk@ßæ¬Ðõ4KÇhìþ4µ Q§kæïA±F½NK Ù¤FßWQéÓSÛåEÿB³¸È34F·#Èç+$ 6Ã&íûôéI\´Æ\|3í¼ºr=2ä¾ÇNF2wåÂÓ°á pþC×Ø{åÚÓôBËqÛÞëLÖýß¥Ó"ãa÷üíÑ Õaëýù¾"Éül¼ »üZ© ¨!þ(F§þB4Ó6Q rÓ*WW#¤/ë7Ý0¯0Ò base_address: 0x00405000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: base_address: 0x00406000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2704 process_handle: 0x000003ec	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Y+çÿxçÿxçÿxlxçÿxçþxQçÿxÞè¢xçÿxvxçÿxkxçÿxnxçÿxRichçÿxPEL°Ã¯dà ¿0@ðè0P`pä0¨.textR `.rdataÀ0@@.data@@À.bssßP@À.rsrc`"@@.relocpr$@@JJ!©aïÙJr° base_address: 0x00400000 process_identifier: 2704 process_handle: 0x000003ec	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 called NtSetContextThread to modify thread in remote process 2704
NtSetContextThread July 20, 2023, 5:06 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4200383 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a4 process_identifier: 2704	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2704
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2704	1	0	0

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW July 20, 2023, 5:06 p.m.	thread_identifier: 2656 thread_handle: 0x00000418 process_identifier: 2652 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\loader_250260_878155_1724_17072023.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\loader_250260_878155_1724_17072023.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\loader_250260_878155_1724_17072023.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000420	1	1
CreateProcessInternalW July 20, 2023, 5:06 p.m.	thread_identifier: 2708 thread_handle: 0x000002a4 process_identifier: 2704 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\arc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003ec	1	1
NtGetContextThread July 20, 2023, 5:06 p.m.	thread_handle: 0x000002a4	1	0
NtAllocateVirtualMemory July 20, 2023, 5:06 p.m.	process_identifier: 2704 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Y+çÿxçÿxçÿxlxçÿxçþxQçÿxÞè¢xçÿxvxçÿxkxçÿxnxçÿxRichçÿxPEL°Ã¯dà ¿0@ðè0P`pä0¨.textR `.rdataÀ0@@.data@@À.bssßP@À.rsrc`"@@.relocpr$@@JJ!©aïÙJr° base_address: 0x00400000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: base_address: 0x00401000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: n4B2V2h2222´2¼2Ê2Ö2æ2ú2342&222(444X4H4B3P3`3t333ª3º3Ì3Ü3ö384433à1´4d·È n;¬0Ù&AÜvôQkkXa²M<qP ¸íDðè£ÖÖ³aË°ÂdÔÒÓxâ ò½½Ì1ü10@13081¦40n4B2V2h2222´2¼2Ê2Ö2æ2ú2342&222(444X4H4B3P3`3t333ª3º3Ì3Ü3ö384433à1´40NtQuerySystemInformationntdll.dllExitProcessGetCommandLineWÎHeapDestroyÍHeapCreateGetModuleHandleAGetLocaleInfoAnGetSystemDefaultUILanguageËHeapAllocÏHeapFreeùWaitForSingleObject²SleepExitThreadNlstrlenWGetLastErrorâVerLanguageNameAàGetExitCodeThreadRCloseHandleKERNEL32.dllHmemset_snwprintfOpenProcessCreateEventAGetLongPathNameW¢GetVersionÁGetCurrentProcessIdEGetProcAddress<LoadLibraryAïVirtualProtectWMapViewOfFileyGetSystemTimeAsFileTimeCreateFileMappingWµSleepExÁTerminateThreadsSetLastError¯QueueUserAPCµCreateThreadGetModuleFileNameWqConvertStringSecurityDescriptorToSecurityDescriptorAADVAPI32.dllþ_aulldiv base_address: 0x00403000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: base_address: 0x00404000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: 5ÿãß<øÑó)FµéÈu µ»Ð>u%¨ÍËMs.n Ô§¹UpFhÌµ¹a}ÒX¡'ÅK®ÅF6ÛU¹Q)ûBVB1«Ó¹ÚJiBSªÆ´©FÂá7.éìÂ¾Ì bÖ:½Åä¯òZïTü½7÷IØè3ÓtÍäwJ;ÈpoøäwF; AqÔg¥rp[ÚZ sj!pãqØ3pãqýø&ÕUà÷è4ÎóÊè%:"7ÅÚæ.>¡?âãF 6¯?îðÒé0¯UîùÒõ1¯UîìÒúË®;eBA æ7iI: rÔªESEbÜ·PSzbÚ¢ÖJ,jnÝÇê51AàòÄÿ :Eïòã÷QòøºÐ»ÆúöGÙ°Ä·Tñ<Ù¬R®wç:EîÑ=éÚ6 ñÍ@»é$imêÎS¼ô$iZßêAÅâõQàòx» ,oàÇMþ4]sÊ¾_5+©¸ó_m u®å=uqªÛQ ¨Õ@´â\|bÂ6¦öéxh¾ÿ1sîèÀÆô)Oñ\|¼¢2DÍ§ÄoÍ£Är.Mü»a0âÏ¨¯)éHòÿÓKóTæµ¦ IC@Ó°ä z@;ßÕºk@ßæ¬Ðõ4KÇhìþ4µ Q§kæïA±F½NK Ù¤FßWQéÓSÛåEÿB³¸È34F·#Èç+$ 6Ã&íûôéI\´Æ\|3í¼ºr=2ä¾ÇNF2wåÂÓ°á pþC×Ø{åÚÓôBËqÛÞëLÖýß¥Ó"ãa÷üíÑ Õaëýù¾"Éül¼ »üZ© ¨!þ(F§þB4Ó6Q rÓ*WW#¤/ë7Ý0¯0Ò base_address: 0x00405000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: base_address: 0x00406000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: base_address: 0x00407000 process_identifier: 2704 process_handle: 0x000003ec	1	1
WriteProcessMemory July 20, 2023, 5:06 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2704 process_handle: 0x000003ec	1	1
NtSetContextThread July 20, 2023, 5:06 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4200383 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a4 process_identifier: 2704	1	0
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x00000090 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread July 20, 2023, 5:06 p.m.	thread_handle: 0x00000090 suspend_count: 1 process_identifier: 2704	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

MicroWorld-eScan	Gen:Variant.MSILHeracles.96835
Sangfor	Trojan.Msil.Gozi.Vdq0
Alibaba	Trojan:MSIL/GenKryptik.a14e7bee
Cybereason	malicious.8f83f0
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/ABRisk.EQZT-2196
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AJGE
TrendMicro-HouseCall	TROJ_GEN.R002H0DGJ23
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.MSILHeracles.96835
Avast	Win32:DropperX-gen [Drp]
Emsisoft	Gen:Variant.MSILHeracles.96835 (B)
F-Secure	Trojan.TR/AD.Ursnif.wizix
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.7f4e427936de0eec
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Dropper.Gen
Google	Detected
Avira	TR/AD.Ursnif.wizix
Microsoft	Trojan:Win32/Gozi.AN!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.Agent.1NX9WQ
Cynet	Malicious (score: 100)
AhnLab-V3	Dropper/Win.DropperX-gen.C5458050
Panda	Trj/Chgt.AD
APEX	Malicious
Rising	Trojan.Kryptik!8.8 (CLOUD)
MAX	malware (ai score=88)
MaxSecure	Trojan.W32.Strab.gen_260344
Fortinet	MSIL/Agent.PLI!tr.dldr
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

arc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All