Cuckoo Sandbox

File 00e1b5fbe988040bc1d8d730a6409b191c9d44d3.exe

Summary
Download Resubmit sample

Size	289.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fe3dffdc4a273c8d4b2cd301a1d98abf`
SHA1	`00e1b5fbe988040bc1d8d730a6409b191c9d44d3`
SHA256	`1be9e53de49352dd005694defe603db6ff2091c0e413c8517adca3772de411f3`
SHA512	`2078739d0456c541ae0ccf5a8c475bd5dd80b6c488470eec70f3a295e0b5a8676addc49e56ab6fe1eed59aacd4ce5fd6b8b7407158caaf539367b98b09b97b46`
CRC32	`A03BD41B`
ssdeep	`None`
Yara	screenshot - Take screenshot keylogger - Run a keylogger

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	April 8, 2025, 11:35 a.m.	April 8, 2025, 11:43 a.m.	445 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-04-08 11:32:53,062 [analyzer] DEBUG: Starting analyzer from: C:\tmpwwr_kc
2025-04-08 11:32:53,062 [analyzer] DEBUG: Pipe server name: \??\PIPE\XxidFYjVFxbMyvUU
2025-04-08 11:32:53,078 [analyzer] DEBUG: Log pipe server name: \??\PIPE\jjWoFfBUGlmpiAlSzrBWb
2025-04-08 11:32:53,687 [analyzer] DEBUG: Started auxiliary module Curtain
2025-04-08 11:32:53,687 [analyzer] DEBUG: Started auxiliary module DbgView
2025-04-08 11:32:54,921 [analyzer] DEBUG: Started auxiliary module Disguise
2025-04-08 11:32:55,140 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-04-08 11:32:55,155 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-04-08 11:32:55,155 [analyzer] DEBUG: Started auxiliary module Human
2025-04-08 11:32:55,155 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-04-08 11:32:55,155 [analyzer] DEBUG: Started auxiliary module Reboot
2025-04-08 11:32:55,312 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-04-08 11:32:55,312 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-04-08 11:32:55,312 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-04-08 11:32:55,312 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-04-08 11:32:55,500 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\00e1b5fbe988040bc1d8d730a6409b191c9d44d3.exe' with arguments '' and pid 2832
2025-04-08 11:32:55,671 [analyzer] DEBUG: Loaded monitor into process with pid 2832
2025-04-08 11:32:56,280 [analyzer] INFO: Added new file to list with pid 2832 and path C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
2025-04-08 11:32:56,500 [analyzer] INFO: Injected into process with pid 1352 and name u'hyma.exe'
2025-04-08 11:32:56,687 [analyzer] DEBUG: Loaded monitor into process with pid 1352
2025-04-08 11:32:57,467 [analyzer] DEBUG: Loaded monitor into process with pid 1492
2025-04-08 11:32:57,467 [analyzer] INFO: Injected into process with pid 1492 and name u'taskhost.exe'
2025-04-08 11:32:57,812 [analyzer] DEBUG: Loaded monitor into process with pid 1592
2025-04-08 11:32:57,812 [analyzer] INFO: Injected into process with pid 1592 and name u'dwm.exe'
2025-04-08 11:32:58,171 [analyzer] DEBUG: Loaded monitor into process with pid 1724
2025-04-08 11:32:58,171 [analyzer] INFO: Injected into process with pid 1724 and name u'explorer.exe'
2025-04-08 11:32:58,187 [analyzer] WARNING: Received request to inject Cuckoo processes, skipping it.
2025-04-08 11:32:58,703 [analyzer] DEBUG: Loaded monitor into process with pid 608
2025-04-08 11:32:58,703 [analyzer] INFO: Injected into process with pid 608 and name u'mobsync.exe'
2025-04-08 11:32:58,717 [analyzer] WARNING: Received request to inject Cuckoo processes, skipping it.
2025-04-08 11:32:59,515 [analyzer] INFO: Process with pid 608 has terminated
2025-04-08 11:33:06,655 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2025-04-08 11:33:06,655 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2025-04-08 11:33:06,655 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2025-04-08 11:33:06,655 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2025-04-08 11:33:06,655 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2025-04-08 11:33:06,655 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2025-04-08 11:33:06,655 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2025-04-08 11:33:06,733 [analyzer] INFO: io=NULL
2025-04-08 11:33:06,733 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2025-04-08 11:33:06,733 [analyzer] DEBUG: Loaded monitor into process with pid 2776
2025-04-08 11:33:06,733 [analyzer] INFO: Injected into process with pid 2776 and name u'WinMail.exe'
2025-04-08 11:33:06,750 [analyzer] INFO: Added new file to list with pid 2832 and path C:\Users\Administrator\AppData\Local\Temp\tmp82dfcd5b.bat
2025-04-08 11:33:06,875 [analyzer] INFO: Injected into process with pid 220 and name u'cmd.exe'
2025-04-08 11:33:07,092 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2832.
2025-04-08 11:33:07,125 [analyzer] DEBUG: Loaded monitor into process with pid 220
2025-04-08 11:33:07,250 [analyzer] INFO: Added pid 220 for u'C:\\Users\\Administrator\\AppData\\Local\\Temp\\tmp82dfcd5b.bat'
2025-04-08 11:33:07,375 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 220.
2025-04-08 11:33:07,515 [analyzer] INFO: Process with pid 2832 has terminated
2025-04-08 11:33:07,515 [analyzer] INFO: Process with pid 220 has terminated
2025-04-08 10:38:43,493 [analyzer] INFO: Added new file to list with pid 2776 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
2025-04-08 10:38:43,572 [analyzer] INFO: Added new file to list with pid 2776 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk
2025-04-08 10:38:44,056 [analyzer] INFO: Added new file to list with pid 2776 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
2025-04-08 10:38:44,056 [analyzer] INFO: Added new file to list with pid 2776 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
2025-04-08 10:38:44,213 [analyzer] INFO: Added new file to list with pid 2776 and path C:\Users\Administrator\AppData\Local\Temp\CabA845.tmp
2025-04-08 10:38:44,338 [analyzer] INFO: Added new file to list with pid 2776 and path C:\Users\Administrator\AppData\Local\Temp\TarA856.tmp
2025-04-08 10:38:53,134 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-04-08 10:38:53,479 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1352.
2025-04-08 10:38:53,759 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 1492.
2025-04-08 10:38:53,884 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 1592.
2025-04-08 10:38:53,963 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 1724.
2025-04-08 10:38:54,040 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 2776.
2025-04-08 10:38:54,322 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-04-08 10:38:54,322 [lib.api.process] INFO: Successfully terminated process with pid 1352.
2025-04-08 10:38:54,322 [lib.api.process] INFO: Successfully terminated process with pid 1492.
2025-04-08 10:38:54,322 [lib.api.process] INFO: Successfully terminated process with pid 1592.
2025-04-08 10:38:54,338 [lib.api.process] INFO: Successfully terminated process with pid 1724.
2025-04-08 10:38:54,338 [lib.api.process] INFO: Successfully terminated process with pid 2776.
2025-04-08 10:38:54,697 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-04-08 11:35:44,909 [cuckoo.core.scheduler] DEBUG: Task #6249990: no machine available yet
2025-04-08 11:35:45,942 [cuckoo.core.scheduler] DEBUG: Task #6249990: no machine available yet
2025-04-08 11:35:46,984 [cuckoo.core.scheduler] DEBUG: Task #6249990: no machine available yet
2025-04-08 11:35:48,020 [cuckoo.core.scheduler] DEBUG: Task #6249990: no machine available yet
2025-04-08 11:35:49,057 [cuckoo.core.scheduler] DEBUG: Task #6249990: no machine available yet
2025-04-08 11:35:50,122 [cuckoo.core.scheduler] DEBUG: Task #6249990: no machine available yet
2025-04-08 11:35:51,183 [cuckoo.core.scheduler] INFO: Task #6249990: acquired machine win7x645 (label=win7x645)
2025-04-08 11:35:51,184 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.205 for task #6249990
2025-04-08 11:35:51,591 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1990003 (interface=vboxnet0, host=192.168.168.205)
2025-04-08 11:35:52,599 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x645
2025-04-08 11:35:53,191 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x645 to vmcloak
2025-04-08 11:38:12,914 [cuckoo.core.guest] INFO: Starting analysis #6249990 on guest (id=win7x645, ip=192.168.168.205)
2025-04-08 11:38:13,919 [cuckoo.core.guest] DEBUG: win7x645: not ready yet
2025-04-08 11:38:18,951 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x645, ip=192.168.168.205)
2025-04-08 11:38:19,237 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x645, ip=192.168.168.205, monitor=latest, size=6660546)
2025-04-08 11:38:21,600 [cuckoo.core.resultserver] DEBUG: Task #6249990: live log analysis.log initialized.
2025-04-08 11:38:23,808 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:24,268 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:25,038 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/e3b0c44298fc1c14_hyma.exe'
2025-04-08 11:38:25,064 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 0
2025-04-08 11:38:25,083 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'shots/0001.jpg'
2025-04-08 11:38:25,119 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 133508
2025-04-08 11:38:25,221 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:26,133 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:26,303 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:26,590 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:27,091 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:35,200 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:35,621 [cuckoo.core.resultserver] DEBUG: Task #6249990 is sending a BSON stream
2025-04-08 11:38:35,863 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/1be9e53de49352dd_00e1b5fbe988040bc1d8d730a6409b191c9d44d3.exe'
2025-04-08 11:38:35,868 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 295976
2025-04-08 11:38:35,879 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/79186b33a5bc1cd8_tmp82dfcd5b.bat'
2025-04-08 11:38:35,881 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 278
2025-04-08 11:38:36,145 [cuckoo.core.guest] DEBUG: win7x645: analysis #6249990 still processing
2025-04-08 11:38:44,423 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/d12dd18018f984aa_CabA845.tmp'
2025-04-08 11:38:44,427 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 58383
2025-04-08 11:38:44,437 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/78eeb661b72a34ca_TarA856.tmp'
2025-04-08 11:38:44,441 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 146584
2025-04-08 11:38:51,388 [cuckoo.core.guest] DEBUG: win7x645: analysis #6249990 still processing
2025-04-08 11:38:54,166 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'curtain/1744101534.15.curtain.log'
2025-04-08 11:38:54,169 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 36
2025-04-08 11:38:54,301 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'sysmon/1744101534.29.sysmon.xml'
2025-04-08 11:38:54,321 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 733374
2025-04-08 11:38:54,349 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/3193952c83d4cd90_edb.chk'
2025-04-08 11:38:54,351 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 8192
2025-04-08 11:38:54,356 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/2654c273c211ae1a_e6024eac88e6b6165d49fe3c95add735'
2025-04-08 11:38:54,359 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 558
2025-04-08 11:38:54,494 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/56fe5537d2173488_hyma.exe'
2025-04-08 11:38:54,544 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 295976
2025-04-08 11:38:54,589 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/0bd9822857d57f4c_e6024eac88e6b6165d49fe3c95add735'
2025-04-08 11:38:54,591 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 232
2025-04-08 11:38:54,663 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'shots/0002.jpg'
2025-04-08 11:38:54,678 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 129623
2025-04-08 11:38:54,689 [cuckoo.core.resultserver] DEBUG: Task #6249990: File upload for 'files/fa697b357cdc6c37_windowsmail.msmessagestore'
2025-04-08 11:38:54,715 [cuckoo.core.resultserver] DEBUG: Task #6249990 uploaded file length: 2113536
2025-04-08 11:38:54,745 [cuckoo.core.resultserver] DEBUG: Task #6249990 had connection reset for <Context for LOG>
2025-04-08 11:38:57,425 [cuckoo.core.guest] INFO: win7x645: analysis completed successfully
2025-04-08 11:38:57,435 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-04-08 11:38:57,466 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-04-08 11:38:58,295 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x645 to path /srv/cuckoo/cwd/storage/analyses/6249990/memory.dmp
2025-04-08 11:38:58,297 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x645
2025-04-08 11:43:06,440 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.205 for task #6249990
2025-04-08 11:43:06,932 [cuckoo.core.scheduler] DEBUG: Released database task #6249990
2025-04-08 11:43:10,529 [cuckoo.core.scheduler] INFO: Task #6249990: analysis procedure completed

Signatures

Yara rules detected for file (2 events)

description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger

Allocates read-write-execute memory (usually to unpack itself) (50 out of 128 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77800000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7781c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ea8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ebf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e75000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75f2f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e95000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ea4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e42000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ea8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e97000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e5b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e8f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ff3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ff6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ff4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ff6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ff7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d69000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77812000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77822000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77844000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7784e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d38000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d37000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d38000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d38000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d37000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d28000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d34000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d2b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d2d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d27000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d28000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d27000 process_handle: 0xffffffff	1

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 8, 2025, 12:32 p.m.	computer_name: TABBNLZUWGPSERX	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 8, 2025, 12:33 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (3 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 8, 2025, 12:32 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.text5
section	.text6

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	MUI
resource name	WEVT_TEMPLATE

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 8, 2025, 12:32 p.m.	stacktrace: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d @ 0x7fefd5f9e5d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefd8f73c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefddd62ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefd9bb949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefddd21d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefdc8d8a2 ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7fefdc91bb3 ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7fefdc91b22 CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7fefdc917eb CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7fefdc91417 CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7fefdc894fa CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7fefdc89428 CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7fefdc89b49 CoRegisterMessageFilter+0x153b CoUninitialize-0x3341 ole32+0x1dfd3 @ 0x7fefdc7dfd3 CoRegisterMessageFilter+0x11c0 CoUninitialize-0x36bc ole32+0x1dc58 @ 0x7fefdc7dc58 CoRegisterMessageFilter+0xb97 CoUninitialize-0x3ce5 ole32+0x1d62f @ 0x7fefdc7d62f CoRegisterMessageFilter+0x13fe CoUninitialize-0x347e ole32+0x1de96 @ 0x7fefdc7de96 ObjectStublessClient32+0x73c2 CoDisconnectContext-0x9cb6 ole32+0x4aec2 @ 0x7fefdcaaec2 CoUninitialize+0x1010 CoInitializeEx-0x70c ole32+0x22324 @ 0x7fefdc82324 CoRegisterMessageFilter+0x3c30 CoUninitialize-0xc4c ole32+0x206c8 @ 0x7fefdc806c8 CoRegisterMessageFilter+0x3c01 CoUninitialize-0xc7b ole32+0x20699 @ 0x7fefdc80699 CoDisableCallCancellation+0x3fc ObjectStublessClient24-0xe4 ole32+0xe7ac @ 0x7fefdc6e7ac CoUninitialize+0xa6 CoInitializeEx-0x1676 ole32+0x213ba @ 0x7fefdc813ba New_ole32_CoUninitialize+0x57 New_ole32_OleConvertOLESTREAMToIStorage-0x53 @ 0x7470774b mobsync+0x6840 @ 0xff876840 mobsync+0x70ae @ 0xff8770ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x774f652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c541 @ 0x7762c541 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 90 90 90 90 90 90 90 90 exception.symbol: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80010012 exception.offset: 40541 exception.address: 0x7fefd5f9e5d registers.r14: 0 registers.r15: 0 registers.rcx: 1238224 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1245040 registers.r11: 1239984 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2003504140 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 8, 2025, 12:32 p.m.

stacktrace:

RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d @ 0x7fefd5f9e5d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefd8f73c3
CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefddd62ba
Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefd9bb949
CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefddd21d0
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefdc8d8a2
ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7fefdc91bb3
ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7fefdc91b22
CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7fefdc917eb
CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7fefdc91417
CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7fefdc894fa
CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7fefdc89428
CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7fefdc89b49
CoRegisterMessageFilter+0x153b CoUninitialize-0x3341 ole32+0x1dfd3 @ 0x7fefdc7dfd3
CoRegisterMessageFilter+0x11c0 CoUninitialize-0x36bc ole32+0x1dc58 @ 0x7fefdc7dc58
CoRegisterMessageFilter+0xb97 CoUninitialize-0x3ce5 ole32+0x1d62f @ 0x7fefdc7d62f
CoRegisterMessageFilter+0x13fe CoUninitialize-0x347e ole32+0x1de96 @ 0x7fefdc7de96
ObjectStublessClient32+0x73c2 CoDisconnectContext-0x9cb6 ole32+0x4aec2 @ 0x7fefdcaaec2
CoUninitialize+0x1010 CoInitializeEx-0x70c ole32+0x22324 @ 0x7fefdc82324
CoRegisterMessageFilter+0x3c30 CoUninitialize-0xc4c ole32+0x206c8 @ 0x7fefdc806c8
CoRegisterMessageFilter+0x3c01 CoUninitialize-0xc7b ole32+0x20699 @ 0x7fefdc80699
CoDisableCallCancellation+0x3fc ObjectStublessClient24-0xe4 ole32+0xe7ac @ 0x7fefdc6e7ac
CoUninitialize+0xa6 CoInitializeEx-0x1676 ole32+0x213ba @ 0x7fefdc813ba
New_ole32_CoUninitialize+0x57 New_ole32_OleConvertOLESTREAMToIStorage-0x53 @ 0x7470774b
mobsync+0x6840 @ 0xff876840
mobsync+0x70ae @ 0xff8770ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x774f652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c541 @ 0x7762c541

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 90 90 90 90 90 90 90 90
exception.symbol: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80010012
exception.offset: 40541
exception.address: 0x7fefd5f9e5d
registers.r14: 0
registers.r15: 0
registers.rcx: 1238224
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1245040
registers.r11: 1239984
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2003504140
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem (2 events)

file	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
file	C:\Users\Administrator\AppData\Local\Temp\tmp82dfcd5b.bat

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 8, 2025, 12:32 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000160 filepath: C:\Users\Administrator\AppData\LocalLow\eccame.vyd desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\Administrator\AppData\LocalLow\eccame.vyd create_options: 4192 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1\AppData\Local\Temp\tmp82dfcd5b.bat"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\00e1b5fbe988040bc1d8d730a6409b191c9d44d3.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 8, 2025, 12:32 p.m.	snapshot_handle: 0x00000160 process_name: 00e1b5fbe988040bc1d8d730a6409b191c9d44d3.exe process_identifier: 2832	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 8, 2025, 12:33 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00042200', u'virtual_address': u'0x00001000', u'entropy': 7.746031957669219, u'name': u'.text', u'virtual_size': u'0x0004210e'}

entropy

7.74603195767

description

A section with a high entropy has been found

entropy

0.921602787456

description

Overall entropy of this PE file is high

One or more of the buffers contains an embedded PE file (8 events)

buffer	Buffer with sha1: 7d407f22f33e50438ebb4f35959470945ce4b845
buffer	Buffer with sha1: 0db1ef5ba5b311f90e446cd3ec958517fb11f74b
buffer	Buffer with sha1: 0e5adddafc096d4ae0d6e1dbe2552f0be8e0dacd
buffer	Buffer with sha1: d9327f46331b2e42f5b0d89c964ae43927d483ea
buffer	Buffer with sha1: 00a9eae0eed238d90681d1a7e75b976e6d8491d1
buffer	Buffer with sha1: bde398b2b74114d1ce107a19c5677f56a9a16483
buffer	Buffer with sha1: 8b57e8ddfad668f7e99540247dddce89c0a20d59
buffer	Buffer with sha1: 8911a2d76c3c241ce2feb2cb8c15194815dd101c

Allocates execute permission to another process indicative of possible code injection (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 1492 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 1592 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 1724 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03d10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 1672 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 608 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2968 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:33 p.m.	process_identifier: 2776 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06e10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1

Installs itself for autorun at Windows startup (50 out of 93 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{80601B30-FADA-AD4A-1F2F-A02B0BD98336}	reg_value	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe

Deletes executed files from disk (1 event)

file	C:\Users\Administrator\AppData\Roaming\Uzqasu\hyma.exe

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (16 events)

Process injection	Process 1352 created a remote thread in non-child process 1492
Process injection	Process 1352 created a remote thread in non-child process 1592
Process injection	Process 1352 created a remote thread in non-child process 1724
Process injection	Process 1352 created a remote thread in non-child process 1672
Process injection	Process 1352 created a remote thread in non-child process 608
Process injection	Process 1352 created a remote thread in non-child process 2968
Process injection	Process 1352 created a remote thread in non-child process 2832
Process injection	Process 1352 created a remote thread in non-child process 2776

Time & API	Arguments	Status	Return
CreateRemoteThread April 8, 2025, 12:32 p.m.	thread_identifier: 0 process_identifier: 1492 function_address: 0x026af042 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000168		0
CreateRemoteThread April 8, 2025, 12:32 p.m.	thread_identifier: 0 process_identifier: 1592 function_address: 0x01c4f042 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000168		0
CreateRemoteThread April 8, 2025, 12:32 p.m.	thread_identifier: 0 process_identifier: 1724 function_address: 0x03d3f042 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000168		0
CreateRemoteThread April 8, 2025, 12:32 p.m.	thread_identifier: 0 process_identifier: 1672 function_address: 0x0026f042 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000168	1	364
CreateRemoteThread April 8, 2025, 12:32 p.m.	thread_identifier: 0 process_identifier: 608 function_address: 0x0040f042 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000168		0
CreateRemoteThread April 8, 2025, 12:32 p.m.	thread_identifier: 0 process_identifier: 2968 function_address: 0x02adf042 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000168	1	364
CreateRemoteThread April 8, 2025, 12:32 p.m.	thread_identifier: 0 process_identifier: 2832 function_address: 0x023ef042 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000168	1	364
CreateRemoteThread April 8, 2025, 12:33 p.m.	thread_identifier: 0 process_identifier: 2776 function_address: 0x06e3f042 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000168		0

Manipulates memory of a non-child process indicative of process injection (16 events)

Process injection	Process 1352 manipulating memory of non-child process 1492
Process injection	Process 1352 manipulating memory of non-child process 1592
Process injection	Process 1352 manipulating memory of non-child process 1724
Process injection	Process 1352 manipulating memory of non-child process 1672
Process injection	Process 1352 manipulating memory of non-child process 608
Process injection	Process 1352 manipulating memory of non-child process 2968
Process injection	Process 1352 manipulating memory of non-child process 2832
Process injection	Process 1352 manipulating memory of non-child process 2776

Time & API	Arguments	Status
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 1492 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 1592 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 1724 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03d10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 1672 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 608 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2968 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:32 p.m.	process_identifier: 2832 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1
NtAllocateVirtualMemory April 8, 2025, 12:33 p.m.	process_identifier: 2776 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06e10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000168	1

Potential code injection by writing to the memory of another process (40 events)

Process injection	Process 1352 injected into non-child 1492
Process injection	Process 1352 injected into non-child 1592
Process injection	Process 1352 injected into non-child 1724
Process injection	Process 1352 injected into non-child 1672
Process injection	Process 1352 injected into non-child 608
Process injection	Process 1352 injected into non-child 2968
Process injection	Process 1352 injected into non-child 2832
Process injection	Process 1352 injected into non-child 2776

Time & API	Arguments	Status	Return
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x026bde20 process_identifier: 1492 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: h base_address: 0x026bde34 process_identifier: 1492 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: ° base_address: 0x026be4fc process_identifier: 1492 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x026be500 process_identifier: 1492 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x01c5de20 process_identifier: 1592 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: Â base_address: 0x01c5de34 process_identifier: 1592 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: ø base_address: 0x01c5e4fc process_identifier: 1592 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: ` base_address: 0x01c5e500 process_identifier: 1592 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x03d4de20 process_identifier: 1724 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: Ñ base_address: 0x03d4de34 process_identifier: 1724 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: D base_address: 0x03d4e4fc process_identifier: 1724 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x03d4e500 process_identifier: 1724 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x0027de20 process_identifier: 1672 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: $ base_address: 0x0027de34 process_identifier: 1672 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x0027e4fc process_identifier: 1672 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x0027e500 process_identifier: 1672 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x0041de20 process_identifier: 608 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: > base_address: 0x0041de34 process_identifier: 608 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: ì base_address: 0x0041e4fc process_identifier: 608 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x0041e500 process_identifier: 608 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x02aede20 process_identifier: 2968 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: « base_address: 0x02aede34 process_identifier: 2968 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: ( base_address: 0x02aee4fc process_identifier: 2968 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x02aee500 process_identifier: 2968 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: base_address: 0x023fde20 process_identifier: 2832 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: < base_address: 0x023fde34 process_identifier: 2832 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: p base_address: 0x023fe4fc process_identifier: 2832 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:32 p.m.	buffer: t base_address: 0x023fe500 process_identifier: 2832 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:33 p.m.	buffer: base_address: 0x06e4de20 process_identifier: 2776 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:33 p.m.	buffer: á base_address: 0x06e4de34 process_identifier: 2776 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:33 p.m.	buffer: t base_address: 0x06e4e4fc process_identifier: 2776 process_handle: 0x00000168	1	1
WriteProcessMemory April 8, 2025, 12:33 p.m.	buffer: 4 base_address: 0x06e4e500 process_identifier: 2776 process_handle: 0x00000168	1	1

Harvests credentials from local email clients (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\news

Zeus P2P (Banking Trojan) (50 out of 51 events)

mutex	Global\{90261163-F089-BD0C-12F8-B06E060E9373}
mutex	Global\{90261163-F089-BD0C-06F6-B06E12009373}
mutex	Global\{90261163-F089-BD0C-B6F7-B06EA2019373}
mutex	Global\{90261163-F089-BD0C-3AF5-B06E2E039373}
mutex	Global\{90261163-F089-BD0C-52F8-B06E460E9373}
mutex	Global\{90261163-F089-BD0C-2AFC-B06E3E0A9373}
mutex	Global\{90261163-F089-BD0C-D6FE-B06EC2089373}
mutex	Global\{90261163-F089-BD0C-96F4-B06E82029373}
mutex	Local\{66746712-86F8-4B5E-1F2F-A02B0BD98336}
mutex	Global\{90261163-F089-BD0C-42FD-B06E560B9373}
mutex	Global\{0792D100-30EA-2AB8-1F2F-A02B0BD98336}
mutex	Global\{90261163-F089-BD0C-0EFA-B06E1A0C9373}
mutex	Global\{90261163-F089-BD0C-3EF7-B06E2A019373}
mutex	Global\{0792D107-30ED-2AB8-1F2F-A02B0BD98336}
mutex	Global\{90261163-F089-BD0C-D6FD-B06EC20B9373}
mutex	Global\{90261163-F089-BD0C-86FB-B06E920D9373}
mutex	Global\{90261163-F089-BD0C-B6FA-B06EA20C9373}
mutex	Global\{90261163-F089-BD0C-A6FA-B06EB20C9373}
mutex	Global\{90261163-F089-BD0C-1AFF-B06E0E099373}
mutex	Global\{90261163-F089-BD0C-92FD-B06E860B9373}
mutex	Local\{66746713-86F9-4B5E-1F2F-A02B0BD98336}
mutex	Global\{F8CB2768-C682-D5E1-1F2F-A02B0BD98336}
mutex	Global\{90261163-F089-BD0C-FAF9-B06EEE0F9373}
mutex	Global\{90261163-F089-BD0C-F6F6-B06EE2009373}
mutex	Global\{90261163-F089-BD0C-A2FF-B06EB6099373}
mutex	Global\{90261163-F089-BD0C-4AFF-B06E5E099373}
mutex	Global\{90261163-F089-BD0C-3EF9-B06E2A0F9373}
mutex	Global\{90261163-F089-BD0C-E6F7-B06EF2019373}
mutex	Global\{0B7E0632-E7D8-2654-1F2F-A02B0BD98336}
mutex	Global\{90261163-F089-BD0C-4AFD-B06E5E0B9373}
mutex	Global\{90261163-F089-BD0C-56F9-B06E420F9373}
mutex	Global\{90261163-F089-BD0C-32FD-B06E260B9373}
mutex	Global\{90261163-F089-BD0C-9EFE-B06E8A089373}
mutex	Global\{90261163-F089-BD0C-92FA-B06E860C9373}
mutex	Global\{90261163-F089-BD0C-B6FD-B06EA20B9373}
mutex	Global\{90261163-F089-BD0C-3AF8-B06E2E0E9373}
mutex	Global\{90261163-F089-BD0C-2EFE-B06E3A089373}
mutex	Local\{47D20223-E3C9-6AF8-1F2F-A02B0BD98336}
mutex	Global\{90261163-F089-BD0C-46FE-B06E52089373}
mutex	Global\{90261163-F089-BD0C-C6FD-B06ED20B9373}
mutex	Global\{90261163-F089-BD0C-4EFE-B06E5A089373}
mutex	Global\{DD783001-D1EB-F052-1F2F-A02B0BD98336}
mutex	Global\{90261163-F089-BD0C-E6F8-B06EF20E9373}
mutex	Global\{90261163-F089-BD0C-C2F5-B06ED6039373}
mutex	Global\{6DAA322A-D3C0-4080-1F2F-A02B0BD98336}
mutex	Global\{90261163-F089-BD0C-16FA-B06E020C9373}
mutex	Global\{90261163-F089-BD0C-8EFB-B06E9A0D9373}
mutex	Global\{90261163-F089-BD0C-36F6-B06E22009373}
mutex	Global\{90261163-F089-BD0C-82F4-B06E96029373}
mutex	Global\{90261163-F089-BD0C-02F8-B06E160E9373}

File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)

G Data Antivirus (Windows)	Virus: Gen:Variant.Barys.953 (Engine A)
Avast Core Security (Linux)	Win32:Karagany
Trend Micro SProtect (Linux)	Mal_Ransom-1
Trellix (Linux)	PWS-Zbot.gen.bew trojan
WithSecure (Linux)	Trojan.TR/Spy.Zbot.EB.42
eScan Antivirus (Linux)	Gen:Variant.Barys.953(DB)
ESET Security (Windows)	a variant of Win32/Kryptik.AEGF trojan
Sophos Anti-Virus (Linux)	Troj/Agent-VSS
DrWeb Antivirus (Linux)	Trojan.PWS.Panda.4425
Bitdefender Antivirus (Linux)	Gen:Variant.Barys.953
Kaspersky Standard (Windows)	Packed.Win32.Krap.iu
Emsisoft Commandline Scanner (Windows)	Gen:Variant.Barys.953 (B)

File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.lw2L
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	TrojanPWS.Zbot.Y
McAfee	PWS-Zbot.gen.bew
ALYac	Gen:Variant.Barys.953
Cylance	unsafe
VIPRE	Gen:Variant.Barys.953
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0040f02a1 )
BitDefender	Gen:Variant.Barys.953
K7GW	Trojan ( 005a0f3d1 )
Cybereason	malicious.c4a273
Arcabit	Trojan.Barys.953
Baidu	Win32.Adware.Kryptik.b
VirIT	Trojan.Win32.Banker.HN
Cyren	W32/Zbot.DQ.gen!Eldorado
Symantec	Packed.Generic.459
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.AEGF
APEX	Malicious
Avast	Win32:Karagany
Kaspersky	Packed.Win32.Krap.iu
Alibaba	TrojanPSW:Win32/Kryptik.7c9d0127
NANO-Antivirus	Trojan.Win32.Krap.ckxapk
SUPERAntiSpyware	Trojan.Agent/Gen-Zbot
MicroWorld-eScan	Gen:Variant.Barys.953
Rising	Dropper.Win32.Uppepa.a (CLASSIC)
Emsisoft	Gen:Variant.Barys.953 (B)
F-Secure	Trojan.TR/Spy.Zbot.EB.42
DrWeb	Trojan.PWS.Panda.4425
Zillya	Trojan.Kryptik.Win32.409128
TrendMicro	Mal_Ransom-1
McAfee-GW-Edition	BehavesLike.Win32.ZBot.dc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.fe3dffdc4a273c8d
Sophos	Troj/Agent-VSS
Ikarus	Trojan.Win32.Crypt
Jiangmin	Packed.Krap.eynh
Webroot	W32.Malware.Gen
Avira	TR/Spy.Zbot.EB.42
MAX	malware (ai score=80)
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Gridinsoft	Spy.Win32.Zbot.vl!i
Xcitium	TrojWare.Win32.Kryptik.ADXK@4nyoqo
Microsoft	PWS:Win32/Zbot.gen!AF
ViRobot	Trojan.Win32.Z.Zbot.295976
ZoneAlarm	Packed.Win32.Krap.iu
GData	Gen:Variant.Barys.953

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 00e1b5fbe988040bc1d8d730a6409b191c9d44d3.exe

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample