Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 25, 2021, 10:06 a.m.	Aug. 25, 2021, 10:08 a.m.

Size	3.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f1b4d4902447ce5caab448a1ceea1279`
SHA256	`82986179159fb1244b89a23ab01b915fe1c24407712c156a087fe902572a4a8f`
CRC32	`4701F7C4`
ssdeep	`98304:dZihAT0yIsO/Wjyzn3fizXpogVw3I5gWIaeoMlbMBF:dUhO0yrO+a3filzx5gSejQ`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

lv.exe "C:\Users\test22\AppData\Local\Temp\lv.exe"
620
- ofine.exe "C:\Users\test22\AppData\Local\Temp\ventil\ofine.exe"
  2444
  - cmd.exe "cmd" /c cmd < Acre.swf
    2236
    - cmd.exe cmd
      1048
      - findstr.exe findstr /V /R "^KdKGllmZQSqdKbslgetCxiidbWkTmowGAeMkIkdKgTUfUaLzgYoDcxxDozphYGmIRzPIKuCrLzhBjRvtlSEBqnkyHoeferLIxjnADrIocyRwiTdsXteuwXHzoKqCtjqIHEiqzVB$" Dov.swf
        3052
      - Sta.exe.com Sta.exe.com Y
        2488
        
        Sta.exe.com C:\Users\test22\AppData\Roaming\Sta.exe.com Y
        560
        
        Sta.exe.com C:\Users\test22\AppData\Roaming\Sta.exe.com Y
        2704
        
        Sta.exe.com C:\Users\test22\AppData\Roaming\Sta.exe.com Y
        1632
      - PING.EXE ping TEST22-PC -n 30
        1304
- far.exe "C:\Users\test22\AppData\Local\Temp\ventil\far.exe"
  1224
  - IntelRapid.exe "C:\Users\test22\AppData\Roaming\Intel Rapid\IntelRapid.exe"
    2908
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
EGvEyaTrur.EGvEyaTrur

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 25, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 25, 2021, 10:06 a.m.			0	0
IsDebuggerPresent Aug. 25, 2021, 10:06 a.m.			0	0
IsDebuggerPresent Aug. 25, 2021, 10:06 a.m.			0	0
IsDebuggerPresent Aug. 25, 2021, 10:06 a.m.			0	0
IsDebuggerPresent Aug. 25, 2021, 10:06 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 25, 2021, 10:06 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Aug. 25, 2021, 10:06 a.m.	stacktrace: far+0x2da268 @ 0xd1a268 far+0x35d627 @ 0xd9d627 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3996876 registers.edi: 10903552 registers.eax: 3996876 registers.ebp: 3996956 registers.edx: 2130566132 registers.ebx: 1968963558 registers.esi: 2000778283 registers.ecx: 4028891136	1
__exception__ Aug. 25, 2021, 10:06 a.m.	stacktrace: exception.instruction_r: ed e9 7f fe 05 00 c3 e9 8a 50 05 00 34 00 14 61 exception.symbol: far+0x33f119 exception.instruction: in eax, dx exception.module: far.exe exception.exception_code: 0xc0000096 exception.offset: 3404057 exception.address: 0xd7f119 registers.esp: 3996996 registers.edi: 6763123 registers.eax: 1750617430 registers.ebp: 10903552 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Aug. 25, 2021, 10:06 a.m.	stacktrace: exception.instruction_r: ed e9 32 35 00 00 93 68 b2 72 11 0d a8 10 21 c7 exception.symbol: far+0x37fae1 exception.instruction: in eax, dx exception.module: far.exe exception.exception_code: 0xc0000096 exception.offset: 3668705 exception.address: 0xdbfae1 registers.esp: 3996996 registers.edi: 6763123 registers.eax: 1447909480 registers.ebp: 10903552 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Aug. 25, 2021, 10:06 a.m.	stacktrace: intelrapid+0x2da268 @ 0x13ba268 intelrapid+0x35d627 @ 0x143d627 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3602784 registers.edi: 17850368 registers.eax: 3602784 registers.ebp: 3602864 registers.edx: 2130566132 registers.ebx: 1968963558 registers.esi: 2000778283 registers.ecx: 4121821184	1
__exception__ Aug. 25, 2021, 10:06 a.m.	stacktrace: exception.instruction_r: ed e9 7f fe 05 00 c3 e9 8a 50 05 00 34 00 14 61 exception.symbol: intelrapid+0x33f119 exception.instruction: in eax, dx exception.module: IntelRapid.exe exception.exception_code: 0xc0000096 exception.offset: 3404057 exception.address: 0x141f119 registers.esp: 3602904 registers.edi: 7680692 registers.eax: 1750617430 registers.ebp: 17850368 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Aug. 25, 2021, 10:06 a.m.	stacktrace: exception.instruction_r: ed e9 32 35 00 00 93 68 b2 72 11 0d a8 10 21 c7 exception.symbol: intelrapid+0x37fae1 exception.instruction: in eax, dx exception.module: IntelRapid.exe exception.exception_code: 0xc0000096 exception.offset: 3668705 exception.address: 0x145fae1 registers.esp: 3602904 registers.edi: 7680692 registers.eax: 1447909480 registers.ebp: 17850368 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72764000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72811000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d23000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d24000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73752000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a54000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a54000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a54000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a54000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72811000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72791000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2021, 10:06 a.m.	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 25, 2021, 10:07 a.m.	total_number_of_free_bytes: 13684191232 free_bytes_available: 13684191232 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (11 events)

file	C:\Users\test22\AppData\Local\Temp\nso602B.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\nsu62AB.tmp\nsExec.dll
file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Users\test22\AppData\Local\Temp\ventil\far.exe
file	C:\Users\test22\AppData\Local\Temp\ventil\ofine.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Users\test22\AppData\Local\Temp\nsu62AB.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\Sta.exe.com
file	C:\Program Files (x86)\foler\olader\adprovider.dll
file	C:\Users\test22\AppData\Roaming\Intel Rapid\IntelRapid.exe

Creates a shortcut to an executable file (2 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\ventil\far.exe
file	C:\Users\test22\AppData\Local\Temp\nso602B.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\ventil\ofine.exe

Expresses interest in specific running processes (1 event)

process

system

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping TEST22-PC -n 30

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Checks for the presence of known windows from debuggers and forensic tools (50 out of 174 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 25, 2021, 10:06 a.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1048 resumed a thread in remote process 2488
NtResumeThread Aug. 25, 2021, 10:06 a.m.	thread_handle: 0x00000134 suspend_count: 0 process_identifier: 2488	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 25, 2021, 10:06 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 25, 2021, 10:06 a.m.	stacktrace: exception.instruction_r: ed e9 32 35 00 00 93 68 b2 72 11 0d a8 10 21 c7 exception.symbol: far+0x37fae1 exception.instruction: in eax, dx exception.module: far.exe exception.exception_code: 0xc0000096 exception.offset: 3668705 exception.address: 0xdbfae1 registers.esp: 3996996 registers.edi: 6763123 registers.eax: 1447909480 registers.ebp: 10903552 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.884377
FireEye	Gen:Variant.Razy.884377
ALYac	Gen:Variant.Razy.884377
Zillya	Trojan.Racealer.Win32.1307
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.02447c
BitDefenderTheta	AI:Packer.B0BB50EF1E
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	UDS:Backdoor.Win32.Agent.gen
BitDefender	Gen:Variant.Razy.884377
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Rising	Trojan.Generic@ML.100 (RDML:udbAU9pBwAcmTsInMaiXKA)
Sophos	Generic ML PUA (PUA)
VIPRE	Trojan.Win32.Generic.pak!cobra
McAfee-GW-Edition	BehavesLike.Win32.PUPXGH.wc
Emsisoft	Gen:Variant.Razy.884377 (B)
GData	Win32.Trojan.BSE.HLJWVB
Microsoft	Trojan:Win32/Glupteba!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Trojan-gen.C4442892
McAfee	Artemis!F1B4D4902447
MAX	malware (ai score=86)
VBA32	BScope.TrojanRansom.Foreign
Malwarebytes	Malware.AI.3005362190
eGambit	Unsafe.AI_Score_98%
AVG	Win32:TrojanX-gen [Trj]
Avast	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

lv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All