Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 28, 2024, 9:48 a.m.	May 28, 2024, 9:51 a.m.

Size	8.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ae47c12b9320e702a9ce243193494554`
SHA256	`6e22c0f2732195063cb4984c6520c3b85e1236e967f8bb05b3c1b35139d2917b`
CRC32	`0AF2A5B3`
ssdeep	`196608:Fv1W8cKlJIszteRKn1chTDQfW7ancKlJIszteRKn1chTDQfWg:Fv1W8v1Bee1chTseenv1Bee1chTseg`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
2636
- cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\ProgramData\JKJECBAAAF.exe"
  2904
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\test22\AppData\Local\Temp\Setup.exe" & rd /s /q "C:\ProgramData\IIJJDGHJKKJE" & exit
  3032
  - timeout.exe timeout /t 10
    1484
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 23.1.179.144	104.106.57.101

IP Address	Status	Action
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
23.1.179.144	Active	Moloch
37.27.34.12	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 37.27.34.12:443 -> 192.168.56.101:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49168 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.101:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49163 -> 23.1.179.144:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49169 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49168 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49163 23.1.179.144:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 28, 2024, 9:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 28, 2024, 9:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 28, 2024, 9:20 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 28, 2024, 9:21 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW May 28, 2024, 9:21 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW May 28, 2024, 9:20 a.m.	buffer: Waiting for 10 console_handle: 0x00000007	1	1
WriteConsoleW May 28, 2024, 9:20 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 28, 2024, 9:20 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199689717899

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199689717899

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 28, 2024, 9:20 a.m.	process_identifier: 2636 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2024, 9:20 a.m.	process_identifier: 2636 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2024, 9:20 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2024, 9:14 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c start "" "C:\ProgramData\JKJECBAAAF.exe"
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Users\test22\AppData\Local\Temp\Setup.exe" & rd /s /q "C:\ProgramData\IIJJDGHJKKJE" & exit
cmdline	C:\Windows\System32\cmd.exe /c start "" "C:\ProgramData\JKJECBAAAF.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\test22\AppData\Local\Temp\Setup.exe" & rd /s /q "C:\ProgramData\IIJJDGHJKKJE" & exit

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Setup.exe

Executes one or more WMI queries (1 event)

wmi

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 28, 2024, 9:20 a.m.	show_type: 0 filepath_r: C:\\Windows\\system32\\cmd.exe parameters: /c start "" "C:\ProgramData\JKJECBAAAF.exe" filepath: C:\Windows\System32\cmd.exe	1	1	0
ShellExecuteExW May 28, 2024, 9:20 a.m.	show_type: 0 filepath_r: C:\\Windows\\system32\\cmd.exe parameters: /c timeout /t 10 & del /f /q "C:\Users\test22\AppData\Local\Temp\Setup.exe" & rd /s /q "C:\ProgramData\IIJJDGHJKKJE" & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW May 28, 2024, 9:20 a.m.	snapshot_handle: 0x000005b8 process_name: pw.exe process_identifier: 2328	1	1
Process32NextW May 28, 2024, 9:20 a.m.	snapshot_handle: 0x000005b8 process_name: taskhost.exe process_identifier: 2452	1	1
Process32NextW May 28, 2024, 9:20 a.m.	snapshot_handle: 0x000005b8 process_name: Setup.exe process_identifier: 2636	1	1
Process32NextW May 28, 2024, 9:20 a.m.	snapshot_handle: 0x000005b8 process_name: WmiPrvSE.exe process_identifier: 2844	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00043400', u'virtual_address': u'0x00061000', u'entropy': 7.6952865163320725, u'name': u'.rsrc', u'virtual_size': u'0x00043400'}

entropy

7.69528651633

description

A section with a high entropy has been found

entropy

0.892205638474

description

Overall entropy of this PE file is high

Yara rule detected in process memory (18 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (40 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall base_handle: 0x80000002 key_handle: 0x000005b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000005c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA May 28, 2024, 9:20 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Users\test22\AppData\Local\Temp\Setup.exe" & rd /s /q "C:\ProgramData\IIJJDGHJKKJE" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\test22\AppData\Local\Temp\Setup.exe" & rd /s /q "C:\ProgramData\IIJJDGHJKKJE" & exit

Communicates with host for which no DNS query was performed (1 event)

host

37.27.34.12

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\Setup.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA May 28, 2024, 9:20 a.m.	key_handle: 0x000005c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cylance	unsafe
Avast	FileRepMalware [Pws]
Kaspersky	UDS:Trojan-PSW.Win32.Stealerc.kzo
Rising	Trojan.Generic@AI.100 (RDML:jSJLVqPAELURS+AlalnDoA)
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEE2Z
McAfeeD	ti!6E22C0F27321
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.ae47c12b9320e702
Sophos	Generic Reputation PUA (PUA)
Gridinsoft	Malware.Win32.Stealc.tr
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:Trojan-PSW.Win32.Stealerc.kzo
DeepInstinct	MALICIOUS
AVG	FileRepMalware [Pws]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)

Network activity contains more than one unique useragent (2 events)

process	Setup.exe				useragent
process	Setup.exe				useragent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2636 resumed a thread in remote process 2904
Process injection	Process 2636 resumed a thread in remote process 3032
NtResumeThread May 28, 2024, 9:20 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2904	1	0	0
NtResumeThread May 28, 2024, 9:20 a.m.	thread_handle: 0x000006a4 suspend_count: 1 process_identifier: 3032	1	0	0

Setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All