Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 23, 2023, 6:57 p.m.	Nov. 23, 2023, 6:59 p.m.

Size	387.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5	`1d6edfa073e4a8f072df28cfd5321bba`
SHA256	`e2e17c7a66b0571f7d35ecd4f5522eb697a234d2b3d803d609d3f804a63de168`
CRC32	`E44F6C82`
ssdeep	`12288:jhlB6y9c8QrCrFE1VC2GwI/+N+AP4PHpF:zB6EpQ+pNwI/+rP4PHf`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

tfsoft.exe "C:\Users\test22\AppData\Local\Temp\tfsoft.exe"
3004
- dcomcnfg.exe "C:\Windows\system32\dcomcnfg.exe"
  1784
- cmd.exe "C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\test22\AppData\Local\Temp\tfsoft.exe"
  2264

Name	Response	Post-Analysis Lookup
cdn.cuilet.com	A 42.7.60.207 A 122.189.171.106 A 36.248.64.77 A 175.43.23.80 CNAME cdn.cuilet.com.cdn.dnsv1.com A 36.248.64.52 A 118.212.235.111 A 36.248.64.126 A 221.204.209.156 A 116.136.12.139 A 36.248.64.54 CNAME 8s46n4vw.sched.sma.tdnsstic1.cn A 61.243.13.101 A 175.43.23.247 A 175.43.23.67	175.43.23.67
ddjf8dkd.wifi95.com	CNAME ddjf8dkd.wifi95.com.cdn.dnsv1.com	116.136.12.139
ddjf8dkd.wifi95.com	A 122.189.171.106 A 36.248.64.126 A 175.43.23.80 A 116.136.12.139 A 124.163.196.88 A 124.163.196.197 A 36.248.64.52 A 118.212.235.111 A 36.248.64.77 CNAME ddjf8dkd.wifi95.com.cdn.dnsv1.com A 211.91.52.56 A 36.248.64.54 A 61.243.13.101 A 175.43.23.247 CNAME c9g6lqgo.sched.sma.tdnsstic1.cn A 42.7.60.207 A 221.204.209.156 A 175.43.23.67	116.136.12.139
sp0.baidu.com	CNAME www.a.shifen.com A 119.63.197.151 A 119.63.197.139 CNAME www.wshifen.com	119.63.197.151
9xcb.oeklms.com	A 106.14.120.14	106.14.120.14
ddjf8dkd.wifi95.com.cdn.dnsv1.com	CNAME c9g6lqgo.sched.sma.tdnsstic1.cn	175.43.23.80
apps.game.qq.com	A 101.227.134.27 A 101.227.134.49	101.227.134.49
time.pool.aliyun.com	A 182.92.12.11 A 120.25.108.11 A 115.28.122.198	182.92.12.11
c9g6lqgo.sched.sma.tdnsstic1.cn		116.136.12.139
c9g6lqgo.sched.sma.tdnsstic1.cn	A 42.7.60.207 A 122.189.171.106 A 36.248.64.77 A 175.43.23.80 A 36.248.64.52 A 118.212.235.111 A 36.248.64.126 A 221.204.209.156 A 116.136.12.139 A 36.248.64.54 A 61.243.13.101 A 175.43.23.247 A 175.43.23.67	116.136.12.139
rip.oeklms.com	A 139.196.190.229	139.196.190.229

IP Address	Status	Action
101.227.134.27	Active	Moloch
106.14.120.14	Active	Moloch
114.114.114.114	Active	Moloch
118.212.235.111	Active	Moloch
119.63.197.139	Active	Moloch
139.196.190.229	Active	Moloch
164.124.101.2	Active	Moloch
175.43.23.80	Active	Moloch
182.92.12.11	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 119.63.197.139:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 119.63.197.139:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49165 119.63.197.139:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	97:42:d5:98:27:d6:22:88:cf:59:c3:ff:75:86:8d:d5:d3:12:a0:af
TLSv1 192.168.56.102:49178 119.63.197.139:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com	97:42:d5:98:27:d6:22:88:cf:59:c3:ff:75:86:8d:d5:d3:12:a0:af

The executable uses a known packer (1 event)

packer

PECompact 2.xx --> BitSum Technologies

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 23, 2023, 6:57 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 1b 0c 73 exception.symbol: tfsoft+0x2256e exception.instruction: mov dword ptr [eax], ecx exception.module: tfsoft.exe exception.exception_code: 0xc0000005 exception.offset: 140654 exception.address: 0x129256e registers.esp: 4455340 registers.edi: 0 registers.eax: 0 registers.ebp: 4455356 registers.edx: 19473752 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0
__exception__ Nov. 23, 2023, 6:57 p.m.	stacktrace: tfsoft+0x113f0 @ 0x12813f0 tfsoft+0xa4f8a @ 0x1314f8a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45 exception.symbol: tfsoft+0x112e5 exception.instruction: in eax, dx exception.module: tfsoft.exe exception.exception_code: 0xc0000096 exception.offset: 70373 exception.address: 0x12812e5 registers.esp: 4454812 registers.edi: 66 registers.eax: 1447909480 registers.ebp: 4454868 registers.edx: 22104 registers.ebx: 0 registers.esi: 5714912 registers.ecx: 10	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://9xcb.oeklms.com/api/r/mcm
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ddjf8dkd.wifi95.com/api/userconfig/uc_2bd4378e4519b0a0f73b3cd533996173.json
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ddjf8dkd.wifi95.com/API/General/arearst
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ddjf8dkd.wifi95.com/API/General/lsrpu

Performs some HTTP requests (10 events)

request	GET http://cdn.cuilet.com/API/General/client_log_user
request	GET http://cdn.cuilet.com/api/filegoto1/81b1e3e4c7ac0cfc
request	GET http://apps.game.qq.com/comm-htdocs/ip/get_ip.php
request	GET http://cdn.cuilet.com/API/General/lsrpu
request	POST http://9xcb.oeklms.com/api/r/mcm
request	GET http://ddjf8dkd.wifi95.com/api/userconfig/uc_2bd4378e4519b0a0f73b3cd533996173.json
request	GET http://ddjf8dkd.wifi95.com/API/General/arearst
request	GET http://rip.oeklms.com/api/r/ip
request	GET http://ddjf8dkd.wifi95.com/API/General/lsrpu
request	GET http://ddjf8dkd.wifi95.com/API/General/thenewseven

Sends data using the HTTP POST Method (1 event)

request

POST http://9xcb.oeklms.com/api/r/mcm

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 3004 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 114688 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b74000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 3004 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x37490000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fcd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 118784 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002594000 process_handle: 0xffffffffffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a80a0

size

0x000001b4

Creates a suspicious process (2 events)

cmdline	cmd.exe /c del /Q /F "C:\Users\test22\AppData\Local\Temp\tfsoft.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\test22\AppData\Local\Temp\tfsoft.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\tfsoft.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 23, 2023, 6:57 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c del /Q /F "C:\Users\test22\AppData\Local\Temp\tfsoft.exe" filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (24 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: smss.exe process_identifier: 228	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 656	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 740	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: audiodg.exe process_identifier: 916	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 1000	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: spoolsv.exe process_identifier: 1036	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: svchost.exe process_identifier: 1080	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000ac process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: taskhost.exe process_identifier: 1352	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: svchost.exe process_identifier: 1908	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: pw.exe process_identifier: 1200	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: SearchIndexer.exe process_identifier: 736	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: SearchProtocolHost.exe process_identifier: 1364	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: tvnserver.exe process_identifier: 2660	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: pw.exe process_identifier: 2692	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: taskhost.exe process_identifier: 2816	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: cmd.exe process_identifier: 2916	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: conhost.exe process_identifier: 2928	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: pw.exe process_identifier: 2996	1	1
Process32NextW Nov. 23, 2023, 6:57 p.m.	snapshot_handle: 0x00000000000000c4 process_name: dcomcnfg.exe process_identifier: 1784	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0005f200', u'virtual_address': u'0x00001000', u'entropy': 7.999437912609023, u'name': u'.text', u'virtual_size': u'0x000a7000'}

entropy

7.99943791261

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001400', u'virtual_address': u'0x000a8000', u'entropy': 6.929024379056458, u'name': u'.rsrc', u'virtual_size': u'0x00002000'}

entropy

6.92902437906

description

A section with a high entropy has been found

entropy

0.998704663212

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (23 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 23, 2023, 6:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd.exe /c del /Q /F "C:\Users\test22\AppData\Local\Temp\tfsoft.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\test22\AppData\Local\Temp\tfsoft.exe"

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: f3df9cf2c907b2e58eab66e291976c0db111e968

Allocates execute permission to another process indicative of possible code injection (10 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 3928064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 3928064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000650000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1784 created a remote thread in non-child process 2380
Process injection	Process 1784 created a remote thread in non-child process 2396
CreateRemoteThread Nov. 23, 2023, 6:57 p.m.	thread_identifier: 2400 process_identifier: 2380 function_address: 0x00000000000c0000 flags: 0 stack_size: 0 parameter: 0x00000000000b0000 process_handle: 0x00000000000000ac	1	176	0
CreateRemoteThread Nov. 23, 2023, 6:57 p.m.	thread_identifier: 1228 process_identifier: 2396 function_address: 0x00000000000c0000 flags: 0 stack_size: 0 parameter: 0x00000000000b0000 process_handle: 0x00000000000000ac	1	196	0

Manipulates memory of a non-child process indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1784 manipulating memory of non-child process 2380
Process injection	Process 1784 manipulating memory of non-child process 2396
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 3928064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00000000002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 3928064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2380 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 3928064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000000290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 3928064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000650000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0
NtAllocateVirtualMemory Nov. 23, 2023, 6:57 p.m.	process_identifier: 2396 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000ac	1	0	0

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1784 injected into non-child 2380
Process injection	Process 1784 injected into non-child 2396
WriteProcessMemory Nov. 23, 2023, 6:57 p.m.	buffer: RunDll base_address: 0x0000000000090000 process_identifier: 2380 process_handle: 0x00000000000000ac	1	1	0
WriteProcessMemory Nov. 23, 2023, 6:57 p.m.	buffer: -u 81b1e3e4c7ac0cfc -a 97458dc69149f919 -v f543a99dc77238b376f147b988f35c2c -exp 269cff33ebb15fcc -mnstars 2752512 base_address: 0x00000000000a0000 process_identifier: 2380 process_handle: 0x00000000000000ac	1	1	0
WriteProcessMemory Nov. 23, 2023, 6:57 p.m.	buffer: f w)w base_address: 0x00000000000b0000 process_identifier: 2380 process_handle: 0x00000000000000ac	1	1	0
WriteProcessMemory Nov. 23, 2023, 6:57 p.m.	buffer: RunDll base_address: 0x0000000000090000 process_identifier: 2396 process_handle: 0x00000000000000ac	1	1	0
WriteProcessMemory Nov. 23, 2023, 6:57 p.m.	buffer: -u 81b1e3e4c7ac0cfc -a 97458dc69149f919 -v f543a99dc77238b376f147b988f35c2c -exp 269cff33ebb15fcc -mnstars 2686976 -e4f6b07339f65a48 2380 base_address: 0x00000000000a0000 process_identifier: 2396 process_handle: 0x00000000000000ac	1	1	0
WriteProcessMemory Nov. 23, 2023, 6:57 p.m.	buffer: e w)w base_address: 0x00000000000b0000 process_identifier: 2396 process_handle: 0x00000000000000ac	1	1	0

Network activity contains more than one unique useragent (2 events)

process	tfsoft.exe				useragent	CHM_MSDN
process	tfsoft.exe				useragent	HttpSend

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 23, 2023, 6:57 p.m.	stacktrace: tfsoft+0x113f0 @ 0x12813f0 tfsoft+0xa4f8a @ 0x1314f8a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45 exception.symbol: tfsoft+0x112e5 exception.instruction: in eax, dx exception.module: tfsoft.exe exception.exception_code: 0xc0000096 exception.offset: 70373 exception.address: 0x12812e5 registers.esp: 4454812 registers.edi: 66 registers.eax: 1447909480 registers.ebp: 4454868 registers.edx: 22104 registers.ebx: 0 registers.esi: 5714912 registers.ecx: 10	1	0	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetect.malware1
Lionic	Hacktool.Win32.Shellcode.3!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Graftor.494706
McAfee	RDN/GenericU
Cylance	Unsafe
VIPRE	Trojan-Spy.Win32.Zbot.gen (v)
Sangfor	Exploit.Win32.Shellcode.gen
K7AntiVirus	Trojan ( 00577f261 )
Alibaba	Trojan:Win32/Shellcode.9ec9d7d0
K7GW	Trojan ( 00577f261 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Graftor.D78C72
Cyren	W32/Trojan.YYBI-5884
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ZJL
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Exploit.Win32.Shellcode.gen
BitDefender	Gen:Variant.Graftor.494706
NANO-Antivirus	Exploit.Win32.Shellcode.ifpkmf
Rising	Trojan.Agent!1.CF5E (CLOUD)
Ad-Aware	Gen:Variant.Graftor.494706
Sophos	ML/PE-A + Mal/Behav-010
Comodo	Malware@#2rks6x1k16vfn
F-Secure	Heuristic.HEUR/AGEN.1103265
DrWeb	Trojan.DownLoader36.34153
Zillya	Exploit.Shellcode.Win32.12
TrendMicro	Backdoor.Win32.ZEGOST.THAACBA
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
FireEye	Generic.mg.1d6edfa073e4a8f0
Emsisoft	Gen:Variant.Graftor.494706 (B)
Ikarus	Backdoor.Win32.Zegost
Avira	HEUR/AGEN.1103265
eGambit	Unsafe.AI_Score_58%
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa
Microsoft	Trojan:Win32/Ymacco.AAE2
ViRobot	Trojan.Win32.S.Agent.396288.CB
ZoneAlarm	HEUR:Exploit.Win32.Shellcode.gen
GData	Gen:Variant.Graftor.494706
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Agent.C3143770
ALYac	Gen:Variant.Graftor.494706
MAX	malware (ai score=100)
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Trojan.Downloader
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	Backdoor.Win32.ZEGOST.THAACBA
Tencent	Win32.Exploit.Shellcode.Eaeg

tfsoft.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All