Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 29, 2021, 10:19 p.m.	April 29, 2021, 10:25 p.m.

Size	225.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`c58d5a146655600ac6ecfa5a779b437b`
SHA256	`7ba37adf2175d8fe13605f3dae3df5ee527db3ec53d60c44a2fb0d6ebffc4e72`
CRC32	`EB1EB17B`
ssdeep	`6144:x5aWbksiNTBrOIF18gltcf/Tz+nPVlYNuJA:x5atNT5OIgg4fXWXYNuJA`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

CleanApex.exe "C:\Users\test22\AppData\Local\Temp\CleanApex.exe"
4244
- cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\FEAC.tmp\FEAD.tmp\FEAE.bat C:\Users\test22\AppData\Local\Temp\CleanApex.exe"
  2352
  - taskkill.exe taskkill /f /im smartscreen.exe
    7032
  - taskkill.exe taskkill /f /im EasyAntiCheat.exe
    8800
  - taskkill.exe taskkill /f /im dnf.exe
    3700
  - taskkill.exe taskkill /f /im DNF.exe
    6892
  - taskkill.exe taskkill /f /im CrossProxy.exe
    4496
  - taskkill.exe taskkill /f /im tensafe_1.exe
    2268
  - taskkill.exe taskkill /f /im TenSafe_1.exe
    7444
  - taskkill.exe taskkill /f /im tensafe_2.exe
    6596
  - taskkill.exe taskkill /f /im tencentdl.exe
    2600
  - taskkill.exe taskkill /f /im TenioDL.exe
    2648
  - taskkill.exe taskkill /f /im uishell.exe
    9112
  - taskkill.exe taskkill /f /im BackgroundDownloader.exe
    6440
  - taskkill.exe taskkill /f /im conime.exe
    8156
  - taskkill.exe taskkill /f /im QQDL.EXE
    2460
  - taskkill.exe taskkill /f /im qqlogin.exe
    2220
  - taskkill.exe taskkill /f /im dnfchina.exe
    7128
  - taskkill.exe taskkill /f /im dnfchinatest.exe
    3464
  - taskkill.exe taskkill /f /im dnf.exe
    7600
  - taskkill.exe taskkill /f /im txplatform.exe
    4992
  - taskkill.exe taskkill /f /im TXPlatform.exe
    3056
  - taskkill.exe taskkill /f /im OriginWebHelperService.exe
    4428
  - taskkill.exe taskkill /f /im Origin.exe
    3592
  - taskkill.exe taskkill /f /im OriginClientService.exe
    2200
  - taskkill.exe taskkill /f /im OriginER.exe
    2264
  - taskkill.exe taskkill /f /im OriginThinSetupInternal.exe
    3420
  - taskkill.exe taskkill /f /im OriginLegacyCLI.exe
    9208
  - taskkill.exe taskkill /f /im Agent.exe
    108
  - taskkill.exe taskkill /f /im Client.exe
    4756
  - sc.exe Sc stop EasyAntiCheat
    7324

Name	Response	Post-Analysis Lookup
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123

IP Address	Status	Action
142.250.199.67	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
34.104.35.123	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49933 -> 142.250.199.67:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49933 142.250.199.67:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22

Queries for the computername (28 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 10:20 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 604 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im smartscreen.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im EasyAntiCheat.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im dnf.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im DNF.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im CrossProxy.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im tensafe_1.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im TenSafe_1.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im tensafe_2.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im tencentdl.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im TenioDL.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im uishell.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:19 p.m.	buffer: /f /im BackgroundDownloader.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: /f /im conime.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: /f /im QQDL.EXE console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: /f /im qqlogin.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: /f /im dnfchina.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW April 29, 2021, 10:20 p.m.	buffer: taskkill console_handle: 0x0000000000000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b

Performs some HTTP requests (2 events)

request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	POST https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b

Sends data using the HTTP POST Method (1 event)

request

POST https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\FEAC.tmp\FEAD.tmp\FEAE.bat

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\CleanApex.exe

Executes one or more WMI queries (27 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tensafe_1.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Origin.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CrossProxy.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "DNF.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BackgroundDownloader.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "TenSafe_1.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "conime.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Client.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tensafe_2.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginER.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "uishell.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dnf.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "smartscreen.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "TXPlatform.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Agent.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginThinSetupInternal.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dnfchina.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "txplatform.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "TenioDL.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginLegacyCLI.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginWebHelperService.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "QQDL.EXE")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EasyAntiCheat.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dnfchinatest.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tencentdl.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "qqlogin.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginClientService.exe")

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.11033437290647, u'name': u'.rdata', u'virtual_size': u'0x000033a8'}

entropy

7.11033437291

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00022800', u'virtual_address': u'0x00019000', u'entropy': 7.997070343666379, u'name': u'.rsrc', u'virtual_size': u'0x00022648'}

entropy

7.99707034367

description

A section with a high entropy has been found

entropy

0.674107142857

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (28 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 29, 2021, 10:20 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess April 29, 2021, 10:20 p.m.	status_code: 0xffffffff process_identifier: 2352 process_handle: 0x000000d8		0	0
NtTerminateProcess April 29, 2021, 10:20 p.m.	status_code: 0xffffffff process_identifier: 2352 process_handle: 0x000000d8		3221225738	0

Uses Windows utilities for basic Windows functionality (29 events)

cmdline	taskkill /f /im OriginER.exe
cmdline	taskkill /f /im tencentdl.exe
cmdline	taskkill /f /im OriginThinSetupInternal.exe
cmdline	taskkill /f /im dnf.exe
cmdline	Sc stop EasyAntiCheat
cmdline	taskkill /f /im Origin.exe
cmdline	taskkill /f /im TXPlatform.exe
cmdline	taskkill /f /im conime.exe
cmdline	taskkill /f /im Agent.exe
cmdline	"C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\FEAC.tmp\FEAD.tmp\FEAE.bat C:\Users\test22\AppData\Local\Temp\CleanApex.exe"
cmdline	taskkill /f /im uishell.exe
cmdline	taskkill /f /im dnfchina.exe
cmdline	taskkill /f /im qqlogin.exe
cmdline	taskkill /f /im TenSafe_1.exe
cmdline	taskkill /f /im BackgroundDownloader.exe
cmdline	taskkill /f /im txplatform.exe
cmdline	taskkill /f /im Client.exe
cmdline	taskkill /f /im CrossProxy.exe
cmdline	taskkill /f /im OriginLegacyCLI.exe
cmdline	taskkill /f /im tensafe_2.exe
cmdline	taskkill /f /im EasyAntiCheat.exe
cmdline	taskkill /f /im smartscreen.exe
cmdline	taskkill /f /im OriginWebHelperService.exe
cmdline	taskkill /f /im OriginClientService.exe
cmdline	taskkill /f /im QQDL.EXE
cmdline	taskkill /f /im dnfchinatest.exe
cmdline	taskkill /f /im DNF.exe
cmdline	taskkill /f /im tensafe_1.exe
cmdline	taskkill /f /im TenioDL.exe

Communicates with host for which no DNS query was performed (2 events)

host	142.250.199.67
host	172.217.25.14

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 106 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file	C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\test email.zip
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file	C:\Users\test22\AppData\Local\Temp\jawshtml.html
file	C:\Users\test22\AppData\Local\Temp\test email-3.zip
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log
file	C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP
file	C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt
file	C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp
file	C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log
file	C:\Users\test22\AppData\Local\Temp\chrome_installer.log
file	C:\Users\test22\AppData\Local\Temp\CleanApex.exe
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000020.log
file	C:\Users\test22\AppData\Local\Temp\RGIC87.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\java_install.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\bchC68D.tmp
file	C:\Users\test22\AppData\Local\Temp\FEAC.tmp\FEAD.tmp\FEAE.bat
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844.html
file	C:\Users\test22\AppData\Local\Temp\PrinterSetup.log
file	C:\Users\test22\AppData\Local\Temp\test email-6.zip
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log
file	C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file	C:\Users\test22\AppData\Local\Temp\outlook logging\firstrun.log
file	C:\Users\test22\AppData\Local\Temp\7zO8F39374F\test.docx
file	C:\Users\test22\AppData\Local\Temp\Outlook 로깅\test2gmailcom-Incoming-04_05_2018-14_18_32_876.log
file	C:\Users\test22\AppData\Local\Temp\test email-5.zip
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844-MSI_netfx_Full_x64.msi.txt
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000014.log
file	C:\Users\test22\AppData\Local\Temp\test email-4.zip
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000005.log
file	C:\Users\test22\AppData\Local\Temp\7zO4B1094CA\test.docx
file	C:\Users\test22\AppData\Local\Temp\dd_wcf_CA_smci_20200715_051341_086.txt
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000010.log

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.15ec37
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Ransom.dc
MaxSecure	Trojan.Malware.300983.susgen
FireEye	Generic.mg.c58d5a146655600a
Sophos	ML/PE-A
AegisLab	Trojan.Win32.Generic.4!c
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	Artemis!C58D5A146655
Rising	Malware.Heuristic!ET#99% (RDMK:cmRtazryDxR2o4l4/vaR+osAQpOI)
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_99%
BitDefenderTheta	Gen:NN.ZexaF.34686.ouW@a4tVGc
CrowdStrike	win/malicious_confidence_90% (W)

CleanApex.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All