Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 12, 2024, 7:55 a.m.	Jan. 12, 2024, 8:04 a.m.

Size	3.7MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d1a6f9be6f046fcdd20d871cec0e1a42`
SHA256	`cd2e465d6a7fabbdb606645b710f24e2c3fbeb0860dc5e9d5d14f24e06e80c12`
CRC32	`E66A43B6`
ssdeep	`98304:xUumioAgFSVP3J3p0UP2scJUNO7VTiR8L:eumbhSVPp/OCOxiu`
PDB Path	community_from_a_psychology_event.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file

plugins.exe "C:\Users\test22\AppData\Local\Temp\plugins.exe"
1552
- InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2576

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 23.74.21.196	104.75.41.21

IP Address	Status	Action
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
23.74.21.196	Active	Moloch
95.217.25.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.99:443 -> 192.168.56.103:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49167 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 95.217.25.10:443 -> 192.168.56.103:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 23.74.21.196:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 23.74.21.196:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 12, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 12, 2024, 7:56 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 12, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Jan. 12, 2024, 7:55 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 12, 2024, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006024f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2024, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006024f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2024, 7:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006025b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

community_from_a_psychology_event.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 12, 2024, 7:55 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 12, 2024, 7:56 a.m.	stacktrace: installutil+0x1b973 @ 0x41b973 installutil+0x1dea6 @ 0x41dea6 installutil+0x1e309 @ 0x41e309 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 08 03 47 08 89 5d fc 89 46 08 40 50 c7 45 exception.symbol: installutil+0x15931 exception.instruction: mov eax, dword ptr [eax + 8] exception.module: InstallUtil.exe exception.exception_code: 0xc0000005 exception.offset: 88369 exception.address: 0x415931 registers.esp: 3710552 registers.edi: 3710956 registers.eax: 1 registers.ebp: 3710580 registers.edx: 1933960925 registers.ebx: 0 registers.esi: 3710944 registers.ecx: 3710956	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199601319247

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199601319247

Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00538000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00539000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00551000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00553000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00554000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 1552 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00390c00', u'virtual_address': u'0x00002000', u'entropy': 7.176644456015017, u'name': u'.text', u'virtual_size': u'0x00390ad4'}

entropy

7.17664445602

description

A section with a high entropy has been found

entropy

0.965873015873

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://t.me/bg3goty
url	https://steamcommunity.com/profiles/76561199601319247

Yara rule detected in process memory (17 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 6cb519c8b4fe2e5bcd9930a0019dcc18034cc982
buffer	Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41

Communicates with host for which no DNS query was performed (1 event)

host

95.217.25.10

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 2576 region_size: 2482176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0

Executes one or more WMI queries (2 events)

wmi
wmi	Select * From AntiVirusProductroot\SecurityCente

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPELÓ'eà :N0âP@à%Î¡@h/ p%°%È=PÐ.text39: `.rdataLéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2576 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: \¿C.?AUThank_you@Define_the_symbol__ATL_MIXED@@HSC\¿C.?AVbad_alloc@std@@\¿C.?AVexception@std@@\¿C.?AVtype_info@@\¿C.?AVbad_cast@std@@\¿C.?AVbad_typeid@std@@\¿C.?AV__non_rtti_object@std@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î×ÿÿÿÿÿÿÿÿ C<ØC8ØC4ØC0ØC,ØC(ØC$ØCØCØCØCØCô×Cì×Cà×CÜ×CØ×CÔ×CÐ×CÌ×CÈ×CÄ×CÀ×C¼×C¸×C´×C°×C¨×C×C×C×CÌ×C×C\|×Ct×Ch×C`×CT×CH×CD×C@×C4×C ×C×C ×C×CüÖCôÖCìÖCäÖCÜÖCÌÖC¼ÖC¬ÖCÖCÖCtÖC`ÖCXÖCPÖCHÖC@ÖC8ÖC0ÖC(ÖC ÖCÖCÖCÖCÖCðÕCÜÕCÐÕCÄÕC8ÖC¸ÕC¬ÕCÕCÕCxÕCdÕCPÕCHÕC@ÕC,ÕCÕCðÔC°CD°CD°CD°CD°CD`KDÚC ßC àC¸CD ED EDFD abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZFD¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²B..XKDkekekekekekekekeke\KDkekekekekekeke`KDþÿÿÿÚCÜCÿÿÿÿ ÜC.\¿C.?AVlogic_error@std@@\¿C.?AVinvalid_argument@std@@\¿C.?AVlength_error@std@@\¿C.?AVout_of_range@std@@\¿C.?AVruntime_error@std@@\¿C.?AVoverflow_error@std@@ base_address: 0x00444000 process_identifier: 2576 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: 0 HXp%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00657000 process_identifier: 2576 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2576 process_handle: 0x000002a4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPELÓ'eà :N0âP@à%Î¡@h/ p%°%È=PÐ.text39: `.rdataLéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2576 process_handle: 0x000002a4	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	InstallUtil.exe				useragent
process	InstallUtil.exe				useragent	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0 uacq

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1552 called NtSetContextThread to modify thread in remote process 2576
NtSetContextThread Jan. 12, 2024, 7:56 a.m.	registers.eip: 2005598660 registers.esp: 3733836 registers.edi: 0 registers.eax: 4317744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2576	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1552 resumed a thread in remote process 2576
NtResumeThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2576	1	0	0

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 12, 2024, 7:55 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1552	1	0
NtResumeThread Jan. 12, 2024, 7:55 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1552	1	0
NtResumeThread Jan. 12, 2024, 7:55 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1552	1	0
NtResumeThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 1552	1	0
NtGetContextThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1552	1	0
NtGetContextThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1552	1	0
CreateProcessInternalW Jan. 12, 2024, 7:56 a.m.	thread_identifier: 2580 thread_handle: 0x000002a0 process_identifier: 2576 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe filepath_r: stack_pivoted: 0 creation_flags: 564 (CREATE_NEW_CONSOLE\|CREATE_NEW_PROCESS_GROUP\|CREATE_SUSPENDED\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtUnmapViewOfSection Jan. 12, 2024, 7:56 a.m.	base_address: 0x00400000 region_size: 14811136 process_identifier: 2576 process_handle: 0x000002a4		3221225497
NtAllocateVirtualMemory Jan. 12, 2024, 7:56 a.m.	process_identifier: 2576 region_size: 2482176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPELÓ'eà :N0âP@à%Î¡@h/ p%°%È=PÐ.text39: `.rdataLéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2576 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: base_address: 0x00401000 process_identifier: 2576 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: base_address: 0x00435000 process_identifier: 2576 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: \¿C.?AUThank_you@Define_the_symbol__ATL_MIXED@@HSC\¿C.?AVbad_alloc@std@@\¿C.?AVexception@std@@\¿C.?AVtype_info@@\¿C.?AVbad_cast@std@@\¿C.?AVbad_typeid@std@@\¿C.?AV__non_rtti_object@std@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î×ÿÿÿÿÿÿÿÿ C<ØC8ØC4ØC0ØC,ØC(ØC$ØCØCØCØCØCô×Cì×Cà×CÜ×CØ×CÔ×CÐ×CÌ×CÈ×CÄ×CÀ×C¼×C¸×C´×C°×C¨×C×C×C×CÌ×C×C\|×Ct×Ch×C`×CT×CH×CD×C@×C4×C ×C×C ×C×CüÖCôÖCìÖCäÖCÜÖCÌÖC¼ÖC¬ÖCÖCÖCtÖC`ÖCXÖCPÖCHÖC@ÖC8ÖC0ÖC(ÖC ÖCÖCÖCÖCÖCðÕCÜÕCÐÕCÄÕC8ÖC¸ÕC¬ÕCÕCÕCxÕCdÕCPÕCHÕC@ÕC,ÕCÕCðÔC°CD°CD°CD°CD°CD`KDÚC ßC àC¸CD ED EDFD abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZFD¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²B..XKDkekekekekekekekeke\KDkekekekekekeke`KDþÿÿÿÚCÜCÿÿÿÿ ÜC.\¿C.?AVlogic_error@std@@\¿C.?AVinvalid_argument@std@@\¿C.?AVlength_error@std@@\¿C.?AVout_of_range@std@@\¿C.?AVruntime_error@std@@\¿C.?AVoverflow_error@std@@ base_address: 0x00444000 process_identifier: 2576 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: 0 HXp%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00657000 process_identifier: 2576 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: base_address: 0x00658000 process_identifier: 2576 process_handle: 0x000002a4	1	1
NtGetContextThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000002a0	1	0
WriteProcessMemory Jan. 12, 2024, 7:56 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2576 process_handle: 0x000002a4	1	1
NtSetContextThread Jan. 12, 2024, 7:56 a.m.	registers.eip: 2005598660 registers.esp: 3733836 registers.edi: 0 registers.eax: 4317744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2576	1	0
NtResumeThread Jan. 12, 2024, 7:56 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2576	1	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealerc.1m!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
Cylance	unsafe
Sangfor	Infostealer.Msil.Stealerc.Vc1z
Cybereason	malicious.854cf7
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AKOD
APEX	Malicious
McAfee	Artemis!D1A6F9BE6F04
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealerc.gen
Rising	Stealer.Stealerc!8.17BE0 (CLOUD)
DrWeb	Trojan.Inject5.1002
TrendMicro	Trojan.Win32.SMOKELOADER.YXEAKZ
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Webroot	W32.Trojan.MSIL.Stealerc
Google	Detected
Antiy-AVL	Trojan[PSW]/MSIL.StealerC
Kingsoft	Win32.PSWTroj.Undef.a
Gridinsoft	Ransom.Win32.Sabsik.cl
Microsoft	Trojan:MSIL/RemLoader!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealerc.gen
GData	Win32.Trojan.Agent.87NEUD
Varist	W32/ABRisk.QBYM-2748
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3980546630
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXEAKZ
SentinelOne	Static AI - Suspicious PE
Fortinet	MSIL/Kryptik.AJDT!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

plugins.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All