Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 24, 2024, 10:48 a.m.	Sept. 24, 2024, 10:55 a.m.

Size	690.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`03bda990b8fd0d4cc27611edbceea3f0`
SHA256	`c96b8380f3acee84358759a9b70a5e7f46b0b0084b875ec82d6cd787a72f727d`
CRC32	`0C1B1F03`
ssdeep	`12288:VyKRi53dU4nH1I1dNTW6xQBZhEFNaIxH7A3OyEmH/7x7wMoVaWTHt37Vx0Sn5GZi:tRi1dUJTW6xQBZh6JA+yEmDBw1THt3zn`
PDB Path	D:\Dev\Tin9\InstallDir\vc80x86u\Loader.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

m2123.exe "C:\Users\test22\AppData\Local\Temp\m2123.exe"
2672
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 24, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 24, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

D:\Dev\Tin9\InstallDir\vc80x86u\Loader.pdb

Tries to locate where the browsers are installed (2 events)

file	c:\program files (x86)\Google\Chrome\application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 24, 2024, 10:48 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.tsustub
section	.tsuarch

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73282000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04860000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x039f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:48 a.m.	process_identifier: 2672 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 24, 2024, 10:41 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000064e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Sept. 24, 2024, 10:48 a.m.	total_number_of_free_bytes: 13322133504 free_bytes_available: 13322133504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Sept. 24, 2024, 10:48 a.m.	total_number_of_free_bytes: 13321850880 free_bytes_available: 13321850880 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Sept. 24, 2024, 10:48 a.m.	total_number_of_free_bytes: 13321080832 free_bytes_available: 13321080832 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\15D95CB4\_Setup.dll
file	C:\Users\test22\AppData\Local\Temp\15D95CB4\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\Tsu6E3F8746.dll
file	C:\Users\test22\AppData\Local\Razer\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\_tinreg32.exe
file	C:\Users\test22\AppData\Local\Razer\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\_tinreg64.exe

Creates a shortcut to an executable file (8 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\15D95CB4\_Setup.dll
file	C:\Users\test22\AppData\Local\Temp\15D95CB4\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\Tsu6E3F8746.dll
file	C:\Users\test22\AppData\Local\Razer\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\_tinreg32.exe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00026000', u'virtual_address': u'0x00009000', u'entropy': 7.997213108894322, u'name': u'.tsustub', u'virtual_size': u'0x00025e45'}

entropy

7.99721310889

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00081800', u'virtual_address': u'0x0002f000', u'entropy': 7.999538945545855, u'name': u'.tsuarch', u'virtual_size': u'0x00081800'}

entropy

7.99953894555

description

A section with a high entropy has been found

entropy

0.971718636693

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 24, 2024, 10:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 24, 2024, 10:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 24, 2024, 10:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 24, 2024, 10:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 24, 2024, 10:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 24, 2024, 10:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 24, 2024, 10:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 24, 2024, 10:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (26 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020219 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{YOUR MAIN PRODUCT GUID GOES HERE} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{YOUR MAIN PRODUCT GUID GOES HERE}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{YOUR MAIN PRODUCT GUID GOES HERE} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020219 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{YOUR MAIN PRODUCT GUID GOES HERE}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020219 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020219 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x0002011f regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020219 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020219 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x0002021f regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000120 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}	1	0
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x0002011f regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020219 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000120 options: 0 access: 0x00020219 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}	1	0
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x0002021f regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}\States		2
RegOpenKeyExW Sept. 24, 2024, 10:48 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4} base_handle: 0x80000001 key_handle: 0x00000120 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{957186D4-B8E2-4FA7-8F5A-B68B4E4D79D4}	1	0

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Bkav	W32.AIDetectMalware
Cylance	Unsafe
ESET-NOD32	a variant of Win32/Injector.ETUB
APEX	Malicious
Rising	Dropper.Agent!8.2F (CLOUD)
Trapmine	malicious.high.ml.score
Google	Detected
Antiy-AVL	Trojan[Injector]/Win32.Agent
Kingsoft	Win32.HeurC.KVMH008.a
McAfee	Artemis!03BDA990B8FD
Malwarebytes	Malware.Heuristic.2089
Ikarus	PUA.BAT.Hostschanger
Paloalto	generic.ml

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1452 resumed a thread in remote process 2832
NtResumeThread Sept. 24, 2024, 10:41 a.m.	thread_handle: 0x0000000000000984 suspend_count: 1 process_identifier: 2832	1	0	0

m2123.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All