Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 13, 2021, 9:13 a.m.	April 13, 2021, 9:17 a.m.

Size	4.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`29389832e538957dc769cf709f80144a`
SHA256	`d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035`
CRC32	`252E91F9`
ssdeep	`98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR`
Yara	screenshot - Take screenshot win_mutex - Create or check mutex win_registry - Affect system registries win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasRichSignature - Rich Signature Check

p33.exe "C:\Users\test22\AppData\Local\Temp\p33.exe"
2948
- msiexec.exe msiexec.exe /i "C:\Users\test22\AppData\Local\Temp\gdiview.msi"
  1556
- 26FF190E7AE0F7C7.exe C:\Users\test22\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp3
  1304
  - ThunderFW.exe C:\Users\test22\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\test22\AppData\Local\Temp\download\MiniThunderPlatform.exe"
    804
  - cmd.exe cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\26FF190E7AE0F7C7.exe"
    2720
    - PING.EXE ping 127.0.0.1 -n 3
      2388
- 26FF190E7AE0F7C7.exe C:\Users\test22\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp3
  596
  - cmd.exe cmd.exe /c taskkill /f /im chrome.exe
    2668
    - taskkill.exe taskkill /f /im chrome.exe
      1572
  - cmd.exe cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\26FF190E7AE0F7C7.exe"
    2080
    - PING.EXE ping 127.0.0.1 -n 3
      872
- cmd.exe cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\p33.exe"
  1976
  - PING.EXE ping 127.0.0.1 -n 3
    2908
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
back19e64ea00d6ecfe1.io
c431a802ff4a46b5.com
55be681fc6760236.com
9ED2FEEA30C3CC5D.com
55BE681FC6760236.com
C431A802FF4A46B5.com
61d53b5a4bc1ab86.com
84b5a35d6e5335ef.com
61D53B5A4BC1AB86.com
bdc347c728b2d94d.com
9ed2feea30c3cc5d.com
BDC347C728B2D94D.com
84B5A35D6E5335EF.com

IP Address	Status	Action
101.99.91.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 9:06 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2021, 9:13 a.m.			0	0
IsDebuggerPresent April 13, 2021, 9:13 a.m.			0	0

Command line console output was observed (50 out of 51 events)

Time & API	Arguments	Status	Return
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1
WriteConsoleW April 13, 2021, 9:13 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\26FF190E7AE0F7C7.exe console_handle: 0x00000007	1	1
WriteConsoleW April 13, 2021, 9:13 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW April 13, 2021, 9:13 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA April 13, 2021, 9:13 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2021, 9:13 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 13, 2021, 9:13 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x74bff777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74d6419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74de011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x74ad5d00 StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x74ad5ce1 StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x74ad5d3f SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x74b08f82 SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x74b08ec3 PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x74afbac3 SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x74b088e8 New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x73cc5180 MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x72ac1bab BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80070005 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 66385508 registers.edi: 1957755408 registers.eax: 66385508 registers.ebp: 66385588 registers.edx: 0 registers.ebx: 8816388 registers.esi: 2147942405 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 13, 2021, 9:13 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x74bff777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74d6419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74de011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x74ad5d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x74ad5ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x74ad5d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x74b08f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x74b08ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x74afbac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x74b088e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x73cc5180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x72ac1bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80070005
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 66385508
registers.edi: 1957755408
registers.eax: 66385508
registers.ebp: 66385588
registers.edx: 0
registers.ebx: 8816388
registers.esi: 2147942405
registers.ecx: 0

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 2948 region_size: 3387392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72434000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72472000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ef0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03fc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72041000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 1304 region_size: 3387392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 596 region_size: 3387392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 156 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13718077440 free_bytes_available: 13718077440 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3349140 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13718036480 free_bytes_available: 13718036480 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3349130 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13718036480 free_bytes_available: 13718036480 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3349130 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13718036480 free_bytes_available: 13718036480 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3349130 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722050560 free_bytes_available: 13722050560 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350110 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722050560 free_bytes_available: 13722050560 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350110 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722050560 free_bytes_available: 13722050560 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350110 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722050560 free_bytes_available: 13722050560 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350110 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722050560 free_bytes_available: 13722050560 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350110 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722050560 free_bytes_available: 13722050560 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350110 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722050560 free_bytes_available: 13722050560 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350110 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722050560 free_bytes_available: 13722050560 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350110 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13722017792 free_bytes_available: 13722017792 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350102 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 13, 2021, 9:13 a.m.	total_number_of_free_bytes: 13721997312 free_bytes_available: 13721997312 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 13, 2021, 9:13 a.m.	number_of_free_clusters: 3350097 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 51 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\icon48.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\background.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\jquery-1.8.3.min.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\book.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\icon.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\popup.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\popup.html
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\hihistory
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\History
file	C:\Users\test22\AppData\Local\Chromium\User Data

Creates executable files on the filesystem (14 events)

file	C:\Users\test22\AppData\Local\Temp\download\zlib1.dll
file	C:\Users\test22\AppData\Local\Temp\download\download_engine.dll
file	C:\Users\test22\AppData\Local\Temp\download\MiniThunderPlatform.exe
file	C:\Users\test22\AppData\Local\Temp\download\ThunderFW.exe
file	C:\Users\test22\AppData\Local\Temp\download\msvcr71.dll
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\background.js
file	C:\Users\test22\AppData\Local\Temp\download\msvcp71.dll
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\jquery-1.8.3.min.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\book.js
file	C:\Users\test22\AppData\Local\Temp\gdiview.msi
file	C:\Users\test22\AppData\Local\Temp\download\dl_peer_id.dll
file	C:\Users\test22\AppData\Local\Temp\xldl.dll
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\injladdpehnncniclpbbmppdiphpnhgd\1.0.0.0_0\popup.js
file	C:\Users\test22\AppData\Local\Temp\download\atl71.dll

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\Desktop\GDIView.exe.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Creates a suspicious process (1 event)

cmdline

cmd.exe /c taskkill /f /im chrome.exe

Drops an executable to the user AppData folder (11 events)

file	C:\Users\test22\AppData\Local\Temp\download\msvcr71.dll
file	C:\Users\test22\AppData\Local\Temp\MSI6B26.tmp
file	C:\Users\test22\AppData\Local\Temp\download\atl71.dll
file	C:\Users\test22\AppData\Local\Temp\download\dl_peer_id.dll
file	C:\Users\test22\AppData\Local\Temp\p33.exe
file	C:\Users\test22\AppData\Local\Temp\download\download_engine.dll
file	C:\Users\test22\AppData\Local\Temp\download\msvcp71.dll
file	C:\Users\test22\AppData\Local\Temp\xldl.dll
file	C:\Users\test22\AppData\Local\Temp\download\zlib1.dll
file	C:\Users\test22\AppData\Local\Temp\download\MiniThunderPlatform.exe
file	C:\Users\test22\AppData\Local\Temp\download\ThunderFW.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 143360 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (25 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:06 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:06 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:06 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:06 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:06 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:06 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:06 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 13, 2021, 9:06 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	taskkill /f /im chrome.exe
cmdline	ping 127.0.0.1 -n 3
cmdline	cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\p33.exe"
cmdline	cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\26FF190E7AE0F7C7.exe"
cmdline	cmd.exe /c taskkill /f /im chrome.exe

Communicates with host for which no DNS query was performed (1 event)

host

101.99.91.200

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 13, 2021, 9:13 a.m.	key_handle: 0x00000310 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen12.33370
MicroWorld-eScan	Trojan.GenericKD.45902695
FireEye	Trojan.GenericKD.45902695
CAT-QuickHeal	Rootkit.Win64
McAfee	Artemis!29389832E538
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Suspicious.Win32.SpikeAexR.PEVPSZL
K7AntiVirus	Trojan ( 0057698e1 )
Alibaba	Rootkit:Win64/Frank.49d5323e
K7GW	Trojan ( 0057698e1 )
Cybereason	malicious.2e5389
Arcabit	Trojan.Generic.D2BC6B67
Cyren	W32/Trojan.YYBQ-1096
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HJTL
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Rootkit.Win64.Frank.adm
BitDefender	Trojan.GenericKD.45902695
NANO-Antivirus	Trojan.Win32.Kryptik.iphmkx
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.11bb6716
Ad-Aware	Trojan.GenericKD.45902695
Sophos	Mal/Generic-S
Comodo	Malware@#2ppl5n9wbpuio
F-Secure	Heuristic.HEUR/AGEN.1140549
Zillya	Rootkit.Frank.Win64.87
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.45902695 (B)
Ikarus	Trojan.Win32.Krypt
Jiangmin	Rootkit.Frank.bf
Avira	HEUR/AGEN.1140549
Microsoft	Trojan:Win32/Vigorf.A
ViRobot	Trojan.Win32.Z.Frank.4255416
ZoneAlarm	Rootkit.Win64.Frank.adm
GData	Trojan.GenericKD.45902695
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win32.Generic.R372369
MAX	malware (ai score=100)
Malwarebytes	Trojan.Dropper
TrendMicro-HouseCall	TROJ_GEN.R002H0CCA21
Rising	Trojan.Kryptik!1.CF89 (CLOUD)
Yandex	Rootkit.Frank!HeFmQiT7svI
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/GenKryptik.EZLB!tr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A

p33.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All