Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 13, 2024, 7:15 p.m.	Jan. 13, 2024, 7:17 p.m.

Size	5.7MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`bd94daa7872d164c29dcdf71a89b4771`
SHA256	`435a707b6f55a048249ec75f8f52595667538f98d5e71a2f14b094cc6fc289fd`
CRC32	`03938121`
ssdeep	`98304:5qmruGbfvvlCTKssjDm6/GEvMjW5sKu9OQBpN:QmruGbfv94qHm6+YMKi4u`
PDB Path	for_the_vehicle_parts_manufacturer.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Microsoft_Office_File_Zero - Microsoft Office File Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

one.exe "C:\Users\test22\AppData\Local\Temp\one.exe"
940
- InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2512

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.76.78.101	104.76.78.101

IP Address	Status	Action
104.76.78.101	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
65.109.241.139	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49169 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 65.109.241.139:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 13, 2024, 7:15 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 13, 2024, 7:15 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 13, 2024, 7:15 p.m.			0	0
IsDebuggerPresent Jan. 13, 2024, 7:15 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 13, 2024, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d73868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d73868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d73928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

for_the_vehicle_parts_manufacturer.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 13, 2024, 7:15 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 13, 2024, 7:15 p.m.	stacktrace: installutil+0x1b973 @ 0x41b973 installutil+0x1dea4 @ 0x41dea4 installutil+0x1e309 @ 0x41e309 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 08 03 47 08 89 5d fc 89 46 08 40 50 c7 45 exception.symbol: installutil+0x15931 exception.instruction: mov eax, dword ptr [eax + 8] exception.module: InstallUtil.exe exception.exception_code: 0xc0000005 exception.offset: 88369 exception.address: 0x415931 registers.esp: 4169780 registers.edi: 4170184 registers.eax: 1 registers.ebp: 4169808 registers.edx: 1934026461 registers.ebx: 0 registers.esi: 4170172 registers.ecx: 4170184	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199601319247

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199601319247

Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ced000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cdb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0524f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cdd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cde000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cdf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05241000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05291000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://t.me/bg3goty
url	https://steamcommunity.com/profiles/76561199601319247

Yara rule detected in process memory (17 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41
buffer	Buffer with sha1: 19c856bb95942ee1e0fd819dce2a81cc2f37fe1b

Communicates with host for which no DNS query was performed (1 event)

host

65.109.241.139

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 2512 region_size: 2482176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0

Executes one or more WMI queries (2 events)

wmi
wmi	Select * From AntiVirusProductroot\SecurityCente

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPELsòeà :N0âP@à%Ye@p/ p%°%Ä=PÐ.text39: `.rdataTéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2512 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: d¿C.?AUThank_you@Define_the_symbol__ATL_MIXED@@HSCd¿C.?AVbad_alloc@std@@d¿C.?AVexception@std@@d¿C.?AVtype_info@@d¿C.?AVbad_cast@std@@d¿C.?AVbad_typeid@std@@d¿C.?AV__non_rtti_object@std@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î×ÿÿÿÿÿÿÿÿ CDØC@ØC<ØC8ØC4ØC0ØC,ØC$ØCØCØCØCü×Cô×Cè×Cä×Cà×CÜ×CØ×CÔ×CÐ×CÌ×CÈ×CÄ×CÀ×C¼×C¸×C°×C¤×C×C×CÔ×C×C×C\|×Cp×Ch×C\×CP×CL×CH×C<×C(×C×C ×C×C×CüÖCôÖCìÖCäÖCÔÖCÄÖC´ÖC ÖCÖC\|ÖChÖC`ÖCXÖCPÖCHÖC@ÖC8ÖC0ÖC(ÖC ÖCÖCÖCÖCøÕCäÕCØÕCÌÕC@ÖCÀÕC´ÕC¤ÕCÕCÕClÕCXÕCPÕCHÕC4ÕCÕCøÔC°CD°CD°CD°CD°CD`KD ÚC(ßC¨àC¸CD ED EDFD abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZFD¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²B..XKDkekekekekekekekeke\KDkekekekekekeke`KDþÿÿÿ ÚC¢ÜCÿÿÿÿ ¤ÜC.d¿C.?AVlogic_error@std@@d¿C.?AVinvalid_argument@std@@d¿C.?AVlength_error@std@@d¿C.?AVout_of_range@std@@d¿C.?AVruntime_error@std@@d¿C.?AVoverflow_error@std@@ base_address: 0x00444000 process_identifier: 2512 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: 0 HXp%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00657000 process_identifier: 2512 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2512 process_handle: 0x000002a4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPELsòeà :N0âP@à%Ye@p/ p%°%Ä=PÐ.text39: `.rdataTéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2512 process_handle: 0x000002a4	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	InstallUtil.exe				useragent
process	InstallUtil.exe				useragent	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0 uacq

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 940 called NtSetContextThread to modify thread in remote process 2512
NtSetContextThread Jan. 13, 2024, 7:15 p.m.	registers.eip: 2005598660 registers.esp: 4193064 registers.edi: 0 registers.eax: 4317744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2512	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 940 resumed a thread in remote process 2512
NtResumeThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2512	1	0	0

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 940	1	0
NtResumeThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 940	1	0
NtResumeThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 940	1	0
NtResumeThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 940	1	0
NtGetContextThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 940	1	0
NtGetContextThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 940	1	0
CreateProcessInternalW Jan. 13, 2024, 7:15 p.m.	thread_identifier: 2516 thread_handle: 0x000002a0 process_identifier: 2512 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe filepath_r: stack_pivoted: 0 creation_flags: 564 (CREATE_NEW_CONSOLE\|CREATE_NEW_PROCESS_GROUP\|CREATE_SUSPENDED\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtUnmapViewOfSection Jan. 13, 2024, 7:15 p.m.	base_address: 0x00400000 region_size: 4653056 process_identifier: 2512 process_handle: 0x000002a4		3221225497
NtAllocateVirtualMemory Jan. 13, 2024, 7:15 p.m.	process_identifier: 2512 region_size: 2482176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPELsòeà :N0âP@à%Ye@p/ p%°%Ä=PÐ.text39: `.rdataTéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2512 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: base_address: 0x00401000 process_identifier: 2512 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: base_address: 0x00435000 process_identifier: 2512 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: d¿C.?AUThank_you@Define_the_symbol__ATL_MIXED@@HSCd¿C.?AVbad_alloc@std@@d¿C.?AVexception@std@@d¿C.?AVtype_info@@d¿C.?AVbad_cast@std@@d¿C.?AVbad_typeid@std@@d¿C.?AV__non_rtti_object@std@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î×ÿÿÿÿÿÿÿÿ CDØC@ØC<ØC8ØC4ØC0ØC,ØC$ØCØCØCØCü×Cô×Cè×Cä×Cà×CÜ×CØ×CÔ×CÐ×CÌ×CÈ×CÄ×CÀ×C¼×C¸×C°×C¤×C×C×CÔ×C×C×C\|×Cp×Ch×C\×CP×CL×CH×C<×C(×C×C ×C×C×CüÖCôÖCìÖCäÖCÔÖCÄÖC´ÖC ÖCÖC\|ÖChÖC`ÖCXÖCPÖCHÖC@ÖC8ÖC0ÖC(ÖC ÖCÖCÖCÖCøÕCäÕCØÕCÌÕC@ÖCÀÕC´ÕC¤ÕCÕCÕClÕCXÕCPÕCHÕC4ÕCÕCøÔC°CD°CD°CD°CD°CD`KD ÚC(ßC¨àC¸CD ED EDFD abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZFD¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²B..XKDkekekekekekekekeke\KDkekekekekekeke`KDþÿÿÿ ÚC¢ÜCÿÿÿÿ ¤ÜC.d¿C.?AVlogic_error@std@@d¿C.?AVinvalid_argument@std@@d¿C.?AVlength_error@std@@d¿C.?AVout_of_range@std@@d¿C.?AVruntime_error@std@@d¿C.?AVoverflow_error@std@@ base_address: 0x00444000 process_identifier: 2512 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: 0 HXp%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00657000 process_identifier: 2512 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: base_address: 0x00658000 process_identifier: 2512 process_handle: 0x000002a4	1	1
NtGetContextThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000002a0	1	0
WriteProcessMemory Jan. 13, 2024, 7:15 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2512 process_handle: 0x000002a4	1	1
NtSetContextThread Jan. 13, 2024, 7:15 p.m.	registers.eip: 2005598660 registers.esp: 4193064 registers.edi: 0 registers.eax: 4317744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2512	1	0
NtResumeThread Jan. 13, 2024, 7:15 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2512	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealerc.1m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	Artemis!Trojan
Cylance	unsafe
Sangfor	Trojan.Msil.Kryptik.Vgok
Cybereason	malicious.1e2514
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AJGW
McAfee	Artemis!BD94DAA7872D
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealerc.gen
Alibaba	Trojan:MSIL/Kryptik.891f705b
MicroWorld-eScan	Trojan.GenericKD.71194315
Rising	Stealer.Stealerc!8.17BE0 (CLOUD)
F-Secure	Trojan.TR/AD.Nekark.ymhhe
DrWeb	Trojan.PWS.Steam.37054
TrendMicro	TrojanSpy.Win32.VIDAR.YXEAMZ
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Google	Detected
Avira	TR/AD.Nekark.ymhhe
Antiy-AVL	Trojan/MSIL.Kryptik
Gridinsoft	Trojan.Win32.Kryptik.cl
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealerc.gen
GData	Win32.Trojan.Agent.WE4XBZ
Varist	W32/ABRisk.QTUB-4478
AhnLab-V3	Trojan/Win.Generic.C5573699
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.zgRAT.Heur
Malwarebytes	Generic.Malware/Suspicious
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXEAMZ
Tencent	Win32.Trojan.FalseSign.Xmhl
SentinelOne	Static AI - Suspicious PE
Fortinet	MSIL/Kryptik.AJDT!tr
CrowdStrike	win/malicious_confidence_90% (W)

one.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All