Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 8, 2024, 4:51 p.m.	Nov. 8, 2024, 5:17 p.m.

Size	1.2MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`f94a052d95dc5764215142f9b90ad7b9`
SHA256	`f6dc1951d5a73ff9ef54bde66bfc3444fb7b160c74a8d070b85b20d25568392d`
CRC32	`A7F90407`
ssdeep	`24576:Tjm1sk9lP6nWZJaIOo/QHtH9YZ0yNJW+6JR5b:U96nWerAQHB9yjWzf`
PDB Path	D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2132
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
  2280
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,
2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
1648
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
  2324
  - netsh.exe netsh wlan show profiles
    2412
  - powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal
    2896
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
93.123.109.4	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 8, 2024, 4:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2024, 4:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2024, 4:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2024, 4:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2024, 4:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2024, 4:51 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 8, 2024, 4:43 p.m.			0	0
IsDebuggerPresent Nov. 8, 2024, 4:43 p.m.			0	0
IsDebuggerPresent Nov. 8, 2024, 4:51 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000386dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d85c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d85c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8860 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8860 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8860 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8ef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8f60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8f60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d8f60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000386ff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000386ff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d84e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003668d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003668d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003668d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003668d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6037b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6037b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b603a50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b603a50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000366a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000366a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000366a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2024, 4:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000366a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 8, 2024, 4:51 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Allocates read-write-execute memory (usually to unpack itself) (50 out of 175 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 2490368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000026c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1d61000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fde000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fde000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fdf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fdf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fdf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fdf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fdf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fdf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fdf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fdf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fe1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1fde000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00132000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00045000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00046000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00133000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0003a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00181000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 4:51 p.m.	process_identifier: 2896 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (16 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: pw.exe process_identifier: 1700	1	1
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: sdclt.exe process_identifier: 1836	1	1
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: taskhost.exe process_identifier: 1000	1	1
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: SearchProtocolHost.exe process_identifier: 316	1	1
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: cmd.exe process_identifier: 1184	1	1
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: SearchFilterHost.exe process_identifier: 1540	1	1
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 1648	1	1
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2324	1	1
Process32NextW Nov. 8, 2024, 4:43 p.m.	snapshot_handle: 0x0000000000000128 process_name: conhost.exe process_identifier: 2388	1	1
Process32NextW Nov. 8, 2024, 4:44 p.m.	snapshot_handle: 0x00000000000002cc process_name: svchost.exe process_identifier: 2644	1	1
Process32NextW Nov. 8, 2024, 4:44 p.m.	snapshot_handle: 0x00000000000002cc process_name: mscorsvw.exe process_identifier: 2672	1	1
Process32NextW Nov. 8, 2024, 4:44 p.m.	snapshot_handle: 0x00000000000002cc process_name: mscorsvw.exe process_identifier: 2712	1	1
Process32NextW Nov. 8, 2024, 4:44 p.m.	snapshot_handle: 0x00000000000002cc process_name: sppsvc.exe process_identifier: 2764	1	1
Process32NextW Nov. 8, 2024, 4:44 p.m.	snapshot_handle: 0x00000000000002cc process_name: cmd.exe process_identifier: 2844	1	1
Process32NextW Nov. 8, 2024, 4:44 p.m.	snapshot_handle: 0x00000000000002cc process_name: conhost.exe process_identifier: 2852	1	1
Process32NextW Nov. 8, 2024, 4:44 p.m.	snapshot_handle: 0x00000000000002cc process_name: pw.exe process_identifier: 2876	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 8, 2024, 4:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

netsh wlan show profiles

Communicates with host for which no DNS query was performed (1 event)

host

93.123.109.4

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (12 events)

file	C:\Windows\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file	C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml

Harvests credentials from local email clients (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

93.123.109.4:80

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.Common.DB7339C8
Lionic	Trojan.Win32.Stealer.12!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojanpws.Convagent
Skyhigh	BehavesLike.Win64.Generic.th
ALYac	Gen:Variant.Zusy.477261
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.477261
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Gen:Variant.Zusy.477261
K7GW	Password-Stealer ( 0059c99d1 )
K7AntiVirus	Password-Stealer ( 0059c99d1 )
Arcabit	Trojan.Zusy.D7484D
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/PSW.Agent.CW
Avast	Win64:BotX-gen [Trj]
ClamAV	Win.Keylogger.Zusy-10017136-0
Kaspersky	HEUR:Trojan-PSW.Win32.Convagent.gen
Alibaba	TrojanPSW:Win64/Convagent.1a801c7e
MicroWorld-eScan	Gen:Variant.Zusy.477261
Rising	Stealer.Agent!8.C2 (TFE:5:PmswK9jgQcH)
Emsisoft	Gen:Variant.Zusy.477261 (B)
F-Secure	Trojan.TR/PSW.Agent.nwhwy
DrWeb	Trojan.SpyBot.1358
Zillya	Trojan.Stealer.Win32.171890
McAfeeD	ti!F6DC1951D5A7
CTX	dll.trojan.stealer
Sophos	Mal/Generic-S
FireEye	Gen:Variant.Zusy.477261
Jiangmin	Trojan.PSW.Convagent.oj
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/PSW.Agent.nwhwy
Antiy-AVL	Trojan[Spy]/Win32.Stealer
Kingsoft	Win32.Trojan-PSW.Convagent.gen
Gridinsoft	Trojan.Win64.Agent.sa
Xcitium	Malware@#1kmefqufbivoz
Microsoft	Trojan:Win64/Zusy.AMS!MTB
ViRobot	Trojan.Win.Z.Zusy.1285120.W
ZoneAlarm	HEUR:Trojan-PSW.Win32.Convagent.gen
GData	Gen:Variant.Zusy.477261
Varist	W64/Kryptik.LNI.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R672848
McAfee	Artemis!F94A052D95DC
TACHYON	Trojan-Spy/W64.InfoStealer.1285120
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealer
Ikarus	Trojan-PSW.Agent
Panda	Trj/GdSda.A

cred64.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All