Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 19, 2023, 12:37 p.m.	Jan. 19, 2023, 12:40 p.m.

Size	5.3MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`03f0c3802261406b2967dbcfb79908a3`
SHA256	`912f7d82ed878471ace2ca79a7e17ecad0b2bdf430570e646efaa940b01fc579`
CRC32	`F18E102A`
ssdeep	`49152:HPF2LUHXcw7ADxCzjNNTpGktKDJ3Mx3Cww7JrzDNp0maVtGJUdBn02F1eNt:HN2L4Xcwcx+jvIrzFJUWN`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

buildppb.exe "C:\Users\test22\AppData\Local\Temp\buildppb.exe"
2552
- WMIC.exe wmic os get Caption
  2712
- cmd.exe cmd /C "wmic path win32_VideoController get name"
  2840
  - WMIC.exe wmic path win32_VideoController get name
    2900
- cmd.exe cmd /C "wmic cpu get name"
  2968
  - WMIC.exe wmic cpu get name
    3028

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
85.209.135.29	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2023, 12:38 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 19, 2023, 12:38 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:38 p.m.			0	0
IsDebuggerPresent Jan. 19, 2023, 12:38 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 19, 2023, 12:38 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Jan. 19, 2023, 12:38 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 11071356 registers.edi: 5043036 registers.eax: 11071356 registers.ebp: 11071436 registers.edx: 53 registers.ebx: 11071720 registers.esi: 2147746133 registers.ecx: 4808784	1
__exception__ Jan. 19, 2023, 12:38 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x761ac048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76178926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7617d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x761ac44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7617d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7617d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7617d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7617991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76178d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x734d6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x734d6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x734d27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x734d2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x734d253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x734d2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x734d25ab wmic+0x39c80 @ 0xfc9c80 wmic+0x3b06a @ 0xfcb06a wmic+0x3b1f8 @ 0xfcb1f8 wmic+0x36fcd @ 0xfc6fcd wmic+0x3d6e9 @ 0xfcd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 912624 registers.edi: 1953561104 registers.eax: 912624 registers.ebp: 912704 registers.edx: 1 registers.ebx: 4778532 registers.esi: 2147746133 registers.ecx: 1128038088	1
__exception__ Jan. 19, 2023, 12:38 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 39447856 registers.edi: 4187700 registers.eax: 39447856 registers.ebp: 39447936 registers.edx: 53 registers.ebx: 39448220 registers.esi: 2147746133 registers.ecx: 3957120	1
__exception__ Jan. 19, 2023, 12:38 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x761ac048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76178926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7617d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x761ac44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7617d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7617d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7617d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7617991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76178d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x734b6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x734b6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x734b27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x734b2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x734b253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x734b2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x734b25ab wmic+0x39c80 @ 0xb59c80 wmic+0x3b06a @ 0xb5b06a wmic+0x3b1f8 @ 0xb5b1f8 wmic+0x36fcd @ 0xb56fcd wmic+0x3d6e9 @ 0xb5d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 2943776 registers.edi: 1953561104 registers.eax: 2943776 registers.ebp: 2943856 registers.edx: 1 registers.ebx: 3926764 registers.esi: 2147746133 registers.ecx: 1111506114	1
__exception__ Jan. 19, 2023, 12:38 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 48297188 registers.edi: 7460028 registers.eax: 48297188 registers.ebp: 48297268 registers.edx: 7176980 registers.ebx: 48297552 registers.esi: 2147746133 registers.ecx: 7233824	1
__exception__ Jan. 19, 2023, 12:38 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x761ac048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76178926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7617d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x761ac44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7617d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7617d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7617d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7617991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76178d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x734b6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x734b6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x734b27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x734b2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x734b253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x734b2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x734b25ab wmic+0x39c80 @ 0x7f9c80 wmic+0x3b06a @ 0x7fb06a wmic+0x3b1f8 @ 0x7fb1f8 wmic+0x36fcd @ 0x7f6fcd wmic+0x3d6e9 @ 0x7fd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 2222432 registers.edi: 1953561104 registers.eax: 2222432 registers.ebp: 2222512 registers.edx: 1 registers.ebx: 7203500 registers.esi: 2147746133 registers.ecx: 1111634082	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 19, 2023, 12:38 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:38 p.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2023, 12:38 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 1709 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\it
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\id
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\mr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\id\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\fr
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ru
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_platform_specific\x86_64\pnacl_public_pnacl_json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ro
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ko
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\kn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\km
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\el\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ja
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ka
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\it\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ro\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs

Creates a shortcut to an executable file (50 out of 53 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open1.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\office_2007.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\테스트.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\Website.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\sn.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.py.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\SendTo\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\readme.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시리얼넘버.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\age.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Python27.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\한글2010(정품) (2).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\시작프로그램.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\다운로드.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\1234.zip.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\exit.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk

Creates a suspicious process (5 events)

cmdline	cmd /C "wmic path win32_VideoController get name"
cmdline	cmd /C "wmic cpu get name"
cmdline	wmic os get Caption
cmdline	wmic path win32_VideoController get name
cmdline	wmic cpu get name

Executes one or more WMI queries (3 events)

wmi	SELECT Name FROM win32_VideoController
wmi	SELECT Caption FROM Win32_OperatingSystem
wmi	SELECT Name FROM WIN32_PROCESSOR

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	cmd /C "wmic path win32_VideoController get name"
cmdline	cmd /C "wmic cpu get name"
cmdline	wmic os get Caption
cmdline	wmic path win32_VideoController get name
cmdline	wmic cpu get name

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT Name FROM WIN32_PROCESSOR

Communicates with host for which no DNS query was performed (1 event)

host

85.209.135.29

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Appends a known multi-family ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Jan. 19, 2023, 12:37 p.m.	ordinal: 0 function_address: 0x0018fe55 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

Executed a process and injected code into it, probably while unpacking (50 out of 61 events)

Time & API	Arguments	Status	Return
NtGetContextThread Jan. 19, 2023, 12:37 p.m.	thread_handle: 0x0000010c	1	0
NtResumeThread Jan. 19, 2023, 12:37 p.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Jan. 19, 2023, 12:38 p.m.	thread_identifier: 2716 thread_handle: 0x00000148 process_identifier: 2712 current_directory: filepath: C:\Windows\System32\wbem\WMIC.exe track: 1 command_line: wmic os get Caption filepath_r: C:\Windows\System32\Wbem\wmic.exe stack_pivoted: 0 creation_flags: 525312 (CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000014c	1	1
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000130	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x0000012c	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Jan. 19, 2023, 12:38 p.m.	thread_identifier: 2844 thread_handle: 0x00000160 process_identifier: 2840 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /C "wmic path win32_VideoController get name" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 525312 (CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000164	1	1
CreateProcessInternalW Jan. 19, 2023, 12:38 p.m.	thread_identifier: 2972 thread_handle: 0x0000015c process_identifier: 2968 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /C "wmic cpu get name" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 525312 (CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000160	1	1
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000130	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000130	1	0
NtSetContextThread Jan. 19, 2023, 12:38 p.m.	registers.eip: 4613824 registers.esp: 310565768 registers.edi: 0 registers.eax: 0 registers.ebp: 128 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000130 process_identifier: 2552	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000130	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000160	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000160	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000144	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000144	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154	1	0
NtSetContextThread Jan. 19, 2023, 12:38 p.m.	registers.eip: 4613824 registers.esp: 310588428 registers.edi: 0 registers.eax: 0 registers.ebp: 0 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000154 process_identifier: 2552	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154	1	0
NtSetContextThread Jan. 19, 2023, 12:38 p.m.	registers.eip: 4613824 registers.esp: 310588428 registers.edi: 0 registers.eax: 0 registers.ebp: 0 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000154 process_identifier: 2552	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000148	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000164	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000164	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000164	1	0
NtResumeThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2552	1	0
NtGetContextThread Jan. 19, 2023, 12:38 p.m.	thread_handle: 0x00000164	1	0
NtSetContextThread Jan. 19, 2023, 12:38 p.m.	registers.eip: 4613824 registers.esp: 310590828 registers.edi: 0 registers.eax: 0 registers.ebp: 87 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000164 process_identifier: 2552	1	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Tasker.4!c
Elastic	malicious (moderate confidence)
MicroWorld-eScan	Gen:Variant.Babar.137259
FireEye	Generic.mg.03f0c3802261406b
ALYac	Gen:Variant.Babar.137259
Cylance	Unsafe
VIPRE	Gen:Variant.Babar.137259
K7AntiVirus	Trojan ( 0059bc771 )
Alibaba	Trojan:Win32/Tasker.9db4294f
K7GW	Trojan ( 0059bc771 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Babar.D2182B
Cyren	W32/Babar.TAAZ-4832
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of WinGo/Agent.JS
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Infostealer.Aurora-9980073-1
Kaspersky	HEUR:Trojan.Win32.Tasker.pef
BitDefender	Gen:Variant.Babar.137259
NANO-Antivirus	Trojan.Win32.Tasker.jugzao
Avast	Win32:Evo-gen [Trj]
Tencent	Win32.Trojan.Tasker.Bkjl
Emsisoft	Gen:Variant.Babar.137259 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
McAfee-GW-Edition	BehavesLike.Win32.TrojanVeil.tm
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=88)
Gridinsoft	Malware.Win32.Aurora.bot
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan.Win32.Tasker.pef
GData	Gen:Variant.Babar.137259
Google	Detected
McAfee	Artemis!03F0C3802261
VBA32	BScope.Trojan.Nacra
Malwarebytes	Malware.AI.3143201269
TrendMicro-HouseCall	TROJ_GEN.R002H0CAI23
Rising	Trojan.Generic@AI.100 (RDML:nCzToSOXvAFJZFcGpBMd2Q)
Ikarus	Trojan-Spy.TitanStealer
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GoAgent.IE!tr
BitDefenderTheta	Gen:NN.ZexaF.36212.@BZ@aKLnmOe
AVG	Win32:Evo-gen [Trj]
Panda	Trj/Genetic.gen

buildppb.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All