Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 16, 2024, 6:20 p.m.	Dec. 16, 2024, 6:41 p.m.

Size	116.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`78c586522f986994aa77c466c9d678a8`
SHA256	`498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9`
CRC32	`0725F836`
ssdeep	`1536:7DG01nFGLBQ+ZH3RSR9CJd6FLVTS6OSjl5eEJXopJ7xfYUCFkhTy3QFTiKCq:nFFFiMWJd6F5TnO65r+T1JQoTy3qTiY`
Yara	RedLine_Stealer_b_Zero - RedLine stealer Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Itaxyhi.exe "C:\Users\test22\AppData\Local\Temp\Itaxyhi.exe"
1188

Name	Response	Post-Analysis Lookup
get.geojs.io	A 104.26.0.100 A 104.26.1.100 A 172.67.70.233	104.26.0.100
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
104.26.1.100	Active	Moloch
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 104.26.1.100:443	2039595	ET INFO External IP Address Lookup Domain (get .geojs .io) in TLS SNI	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49163 -> 104.26.1.100:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 104.26.1.100:443	2039595	ET INFO External IP Address Lookup Domain (get .geojs .io) in TLS SNI	Device Retrieving External IP Address Detected
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2039594	ET INFO External IP Address Lookup Domain (get .geojs .io) in DNS Lookup	Device Retrieving External IP Address Detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 149.154.167.220:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49163 104.26.1.100:443	C=US, O=Google Trust Services, CN=WR1	CN=geojs.io	39:4b:e5:e5:5b:7f:a2:e6:21:80:a5:bc:21:09:a8:c7:d5:47:02:df

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 16, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 16, 2024, 6:06 p.m.			0	0
IsDebuggerPresent Dec. 16, 2024, 6:06 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptGenKey Dec. 16, 2024, 6:07 p.m.	crypto_handle: 0x000000001ae8a900 algorithm_identifier: 0x00006610 () flags: 1 key: f ËºfS4`åömÄ>úGÎß?ßþX°øµ· provider_handle: 0x000000001ae5fba0	1	1
CryptExportKey Dec. 16, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ae8a900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey Dec. 16, 2024, 6:07 p.m.	buffer: f ËºfS4`åömÄ>úGÎß?ßþX°øµ· crypto_handle: 0x000000001ae8a900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 16, 2024, 6:06 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://get.geojs.io/v1/ip/geo.json

Performs some HTTP requests (1 event)

request

GET https://get.geojs.io/v1/ip/geo.json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 93 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ecc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 16, 2024, 6:06 p.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (50 out of 121 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\apjdnokplgcjkejimjdfjnhmjlbpgkdi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idkppnahnmmggbmfkjhiakkbkdpnmnon
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\enabgbdfcbaehmbigakijjabdpdnimlg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpopkelmapcoipemfendmdghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jifanbgejlbcmhbbdbnfbfnlmbomjedj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgfffbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Ipfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ajkifnllfhikkjbjopkhmjoieikeihjb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilbbpajmiplgpehdikmejfemfklpkmke
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoac
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocefimbphcgjaahbclemolcmkeanoagc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flikjlpgnpcjdienoojmgliechmmheek
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegll
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppdjlkfkedmidmclhakfncpfdmdgmjpm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hbpfjlflhnmkddbjdchbbifhllgmmhnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcglfhcjfpkgdppjbglknafgfffkelnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gflpckpfdgcagnbdfafmibcmkadnlhpj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lnnnmfcpbkafcpgdilckhmhbkkbpkmid
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 16, 2024, 6:06 p.m.	flags: 15 family: 0		111	0

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealer.12!c
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Skyhigh	BehavesLike.Win32.Generic.cm
McAfee	Trojan-FRAX!78C586522F98
Cylance	Unsafe
VIPRE	Trojan.GenericKD.75122635
Sangfor	Spyware.Msil.Mamut.Vfip
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75122635
K7GW	Trojan-Downloader ( 005706a81 )
K7AntiVirus	Trojan-Downloader ( 005706a81 )
Arcabit	Trojan.Generic.D47A47CB
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Infostealer.Rumord!gen
Elastic	Windows.Infostealer.PhemedroneStealer
ESET-NOD32	a variant of MSIL/Spy.Agent.EOC
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Packed.Msilzilla-10026835-0
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
Alibaba	TrojanPSW:MSIL/Mamut.87a11d0d
NANO-Antivirus	Trojan.Win32.Stealer.ktzamc
MicroWorld-eScan	Trojan.GenericKD.75122635
Rising	Stealer.Phemedrone!1.F3D5 (CLASSIC)
Emsisoft	Trojan.GenericKD.75122635 (B)
F-Secure	Trojan.TR/Spy.Agent.geewy
DrWeb	Trojan.PWS.Stealer.40208
McAfeeD	ti!498AC6B74769
CTX	exe.trojan.msil
Sophos	Mal/PhemSteal-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.78c586522f986994
Jiangmin	Trojan.PSW.MSIL.eugx
Webroot	W32.Trojan.MSILMamut
Google	Detected
Avira	TR/Spy.Agent.geewy
Kingsoft	malware.kb.c.946
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Trojan:MSIL/Mamut.KAE!MTB
ViRobot	Trojan.Win.Z.Jalapeno.119296.E
GData	Trojan.GenericKD.75122635
Varist	W32/MSIL_Agent.FUM.gen!Eldorado
AhnLab-V3	Trojan/Win32.RL_Reconyc.C3542581
VBA32	TScope.Trojan.MSIL
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealer.MSIL
Ikarus	Trojan-Spy.RedLineStealer
Panda	Trj/GdSda.A
Tencent	Trojan.Msil.Agent.ca

Itaxyhi.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All