Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 13, 2024, 7:16 p.m.	Jan. 13, 2024, 7:26 p.m.

Size	5.8MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`013dd34c1d52ad6a86419657437e247a`
SHA256	`6fc264d3ffc563ee44ae41f7693c1ec08d3d57e19b69b6e59c0a300c7317135c`
CRC32	`C40C1A2B`
ssdeep	`49152:dc7zDiiSwc9hNVVRa79rosQe/POjXVdDyLdTE+mhTjx71YDKbHMGNuBeE:dwDPSwcZVVRiREbUFHmhZ1uG49`
PDB Path	neuralnetwork_for_generating_postcards_with_text.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Microsoft_Office_File_Zero - Microsoft Office File Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

twoo.exe "C:\Users\test22\AppData\Local\Temp\twoo.exe"
652
- RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2508

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.76.78.101	104.76.78.101

IP Address	Status	Action
104.76.78.101	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
65.109.241.139	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 65.109.241.139:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.103:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 13, 2024, 7:16 p.m.			0	0
IsDebuggerPresent Jan. 13, 2024, 7:16 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004129f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004129f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00412ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

neuralnetwork_for_generating_postcards_with_text.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 13, 2024, 7:16 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 13, 2024, 7:16 p.m.	stacktrace: regsvcs+0x1b973 @ 0x41b973 regsvcs+0x1dea4 @ 0x41dea4 regsvcs+0x1e309 @ 0x41e309 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 40 08 03 47 08 89 5d fc 89 46 08 40 50 c7 45 exception.symbol: regsvcs+0x15931 exception.instruction: mov eax, dword ptr [eax + 8] exception.module: RegSvcs.exe exception.exception_code: 0xc0000005 exception.offset: 88369 exception.address: 0x415931 registers.esp: 3908188 registers.edi: 3908592 registers.eax: 1 registers.ebp: 3908216 registers.edx: 1933960925 registers.ebx: 0 registers.esi: 3908580 registers.ecx: 3908592	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199601319247

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199601319247

Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00513000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00516000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00518000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00519000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ccf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00afe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://t.me/bg3goty
url	https://steamcommunity.com/profiles/76561199601319247

Yara rule detected in process memory (17 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41
buffer	Buffer with sha1: 53da0335b58ead79825c624cb98832666dbb834b

Communicates with host for which no DNS query was performed (1 event)

host

65.109.241.139

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2508 region_size: 2482176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0

Executes one or more WMI queries (2 events)

wmi
wmi	Select * From AntiVirusProductroot\SecurityCente

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPEL¼Íeà :N0âP@à%0g@p/ p%°%Ä=PÐ.text39: `.rdataTéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: d¿C.?AUThank_you@Define_the_symbol__ATL_MIXED@@HSCd¿C.?AVbad_alloc@std@@d¿C.?AVexception@std@@d¿C.?AVtype_info@@d¿C.?AVbad_cast@std@@d¿C.?AVbad_typeid@std@@d¿C.?AV__non_rtti_object@std@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î×ÿÿÿÿÿÿÿÿ CDØC@ØC<ØC8ØC4ØC0ØC,ØC$ØCØCØCØCü×Cô×Cè×Cä×Cà×CÜ×CØ×CÔ×CÐ×CÌ×CÈ×CÄ×CÀ×C¼×C¸×C°×C¤×C×C×CÔ×C×C×C\|×Cp×Ch×C\×CP×CL×CH×C<×C(×C×C ×C×C×CüÖCôÖCìÖCäÖCÔÖCÄÖC´ÖC ÖCÖC\|ÖChÖC`ÖCXÖCPÖCHÖC@ÖC8ÖC0ÖC(ÖC ÖCÖCÖCÖCøÕCäÕCØÕCÌÕC@ÖCÀÕC´ÕC¤ÕCÕCÕClÕCXÕCPÕCHÕC4ÕCÕCøÔC°CD°CD°CD°CD°CD`KD ÚC(ßC¨àC¸CD ED EDFD abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZFD¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²B..XKDkekekekekekekekeke\KDkekekekekekeke`KDþÿÿÿ ÚC¢ÜCÿÿÿÿ ¤ÜC.d¿C.?AVlogic_error@std@@d¿C.?AVinvalid_argument@std@@d¿C.?AVlength_error@std@@d¿C.?AVout_of_range@std@@d¿C.?AVruntime_error@std@@d¿C.?AVoverflow_error@std@@ base_address: 0x00444000 process_identifier: 2508 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: 0 HXp%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00657000 process_identifier: 2508 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2508 process_handle: 0x000002a4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPEL¼Íeà :N0âP@à%0g@p/ p%°%Ä=PÐ.text39: `.rdataTéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x000002a4	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	RegSvcs.exe				useragent
process	RegSvcs.exe				useragent	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0 uacq

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 652 called NtSetContextThread to modify thread in remote process 2508
NtSetContextThread Jan. 13, 2024, 7:16 p.m.	registers.eip: 2005598660 registers.esp: 3931472 registers.edi: 0 registers.eax: 4317744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2508	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 652 resumed a thread in remote process 2508
NtResumeThread Jan. 13, 2024, 7:16 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2508	1	0	0

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 13, 2024, 7:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 652	1	0
NtResumeThread Jan. 13, 2024, 7:16 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 652	1	0
NtResumeThread Jan. 13, 2024, 7:16 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 652	1	0
NtResumeThread Jan. 13, 2024, 7:16 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 652	1	0
CreateProcessInternalW Jan. 13, 2024, 7:16 p.m.	thread_identifier: 2512 thread_handle: 0x000002a0 process_identifier: 2508 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe filepath_r: stack_pivoted: 0 creation_flags: 564 (CREATE_NEW_CONSOLE\|CREATE_NEW_PROCESS_GROUP\|CREATE_SUSPENDED\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtUnmapViewOfSection Jan. 13, 2024, 7:16 p.m.	base_address: 0x00400000 region_size: 14221312 process_identifier: 2508 process_handle: 0x000002a4		3221225497
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2508 region_size: 2482176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ªA¡¸î Ïëî Ïëî ÏëVQëã ÏëVeëÕ ÏëçXLëë ÏëçX\ëâ ÏënYÎêí Ïëî Îë ÏëVdëÆ ÏëVRëï ÏëRichî ÏëPEL¼Íeà :N0âP@à%0g@p/ p%°%Ä=PÐ.text39: `.rdataTéPê>@@.dataè-!@(@À.rsrc°p%6@@.relocêR%T8@B base_address: 0x00400000 process_identifier: 2508 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: base_address: 0x00401000 process_identifier: 2508 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: base_address: 0x00435000 process_identifier: 2508 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: d¿C.?AUThank_you@Define_the_symbol__ATL_MIXED@@HSCd¿C.?AVbad_alloc@std@@d¿C.?AVexception@std@@d¿C.?AVtype_info@@d¿C.?AVbad_cast@std@@d¿C.?AVbad_typeid@std@@d¿C.?AV__non_rtti_object@std@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î×ÿÿÿÿÿÿÿÿ CDØC@ØC<ØC8ØC4ØC0ØC,ØC$ØCØCØCØCü×Cô×Cè×Cä×Cà×CÜ×CØ×CÔ×CÐ×CÌ×CÈ×CÄ×CÀ×C¼×C¸×C°×C¤×C×C×CÔ×C×C×C\|×Cp×Ch×C\×CP×CL×CH×C<×C(×C×C ×C×C×CüÖCôÖCìÖCäÖCÔÖCÄÖC´ÖC ÖCÖC\|ÖChÖC`ÖCXÖCPÖCHÖC@ÖC8ÖC0ÖC(ÖC ÖCÖCÖCÖCøÕCäÕCØÕCÌÕC@ÖCÀÕC´ÕC¤ÕCÕCÕClÕCXÕCPÕCHÕC4ÕCÕCøÔC°CD°CD°CD°CD°CD`KD ÚC(ßC¨àC¸CD ED EDFD abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZFD¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²BÜ²B..XKDkekekekekekekekeke\KDkekekekekekeke`KDþÿÿÿ ÚC¢ÜCÿÿÿÿ ¤ÜC.d¿C.?AVlogic_error@std@@d¿C.?AVinvalid_argument@std@@d¿C.?AVlength_error@std@@d¿C.?AVout_of_range@std@@d¿C.?AVruntime_error@std@@d¿C.?AVoverflow_error@std@@ base_address: 0x00444000 process_identifier: 2508 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: 0 HXp%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00657000 process_identifier: 2508 process_handle: 0x000002a4	1	1
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: base_address: 0x00658000 process_identifier: 2508 process_handle: 0x000002a4	1	1
NtGetContextThread Jan. 13, 2024, 7:16 p.m.	thread_handle: 0x000002a0	1	0
WriteProcessMemory Jan. 13, 2024, 7:16 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2508 process_handle: 0x000002a4	1	1
NtSetContextThread Jan. 13, 2024, 7:16 p.m.	registers.eip: 2005598660 registers.esp: 3931472 registers.edi: 0 registers.eax: 4317744 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2508	1	0
NtResumeThread Jan. 13, 2024, 7:16 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2508	1	0

twoo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All