Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 14, 2023, 4:57 p.m.	May 14, 2023, 5:01 p.m.

Size	16.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8589fe09a6ad2bdc47a753125086f742`
SHA256	`d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d`
CRC32	`C7B9491C`
ssdeep	`196608:WcywI4gKOVUosfPfgy4f1SEmaa7jgs2EnIyolKU72urtYF6N6YHYU4vcv0NXAAqL:0wI4Zhoc0AAEnwluI0Y4UKXxUsDcFn`
PDB Path	C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware

ProtonVPN_v3.0.5.exe "C:\Users\test22\AppData\Local\Temp\ProtonVPN_v3.0.5.exe"
2576
- msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\test22\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\install\ProtonVPN.msi" AI_SETUPEXEPATH=C:\Users\test22\AppData\Local\Temp\ProtonVPN_v3.0.5.exe SETUPEXEDIR=C:\Users\test22\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1684051008 "
  2752
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 14, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 4:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 4:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 4:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 14, 2023, 4:57 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 14, 2023, 4:57 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72802000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2576 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2576 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72801000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72802000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72271000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04020000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72262000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 4:57 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728a1000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 787 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\install\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Proton Technologies AG\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13305180160 free_bytes_available: 13305180160 root_path: \\?\C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 13305180160	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13293527040 free_bytes_available: 13293527040 root_path: \\?\C:\Users\test22\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\install\ total_number_of_bytes: 13293527040	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:59 p.m.	total_number_of_free_bytes: 13299204096 free_bytes_available: 13299204096 root_path: \\?\C:\Users\test22\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\install\ total_number_of_bytes: 13299204096	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291343872 free_bytes_available: 13291343872 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244957 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291315200 free_bytes_available: 13291315200 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244950 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291315200 free_bytes_available: 13291315200 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244950 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291315200 free_bytes_available: 13291315200 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244950 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:57 p.m.	total_number_of_free_bytes: 13291315200 free_bytes_available: 13291315200 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:57 p.m.	number_of_free_clusters: 3244950 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:58 p.m.	total_number_of_free_bytes: 13291233280 free_bytes_available: 13291233280 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:58 p.m.	number_of_free_clusters: 3244930 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:58 p.m.	total_number_of_free_bytes: 13291233280 free_bytes_available: 13291233280 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:58 p.m.	number_of_free_clusters: 3244930 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:58 p.m.	total_number_of_free_bytes: 13291245568 free_bytes_available: 13291245568 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:58 p.m.	number_of_free_clusters: 3244933 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:58 p.m.	total_number_of_free_bytes: 13291245568 free_bytes_available: 13291245568 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:58 p.m.	number_of_free_clusters: 3244933 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 14, 2023, 4:58 p.m.	total_number_of_free_bytes: 13291225088 free_bytes_available: 13291225088 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW May 14, 2023, 4:58 p.m.	number_of_free_clusters: 3244928 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\install\ProtonVPN.msi

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ProtonVPN\ProtonVPN.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\MSIF0E7.tmp

Checks for the Locally Unique Identifier on the system for a suspicious privilege (39 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:57 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 14, 2023, 4:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Cylance	unsafe
Sangfor	Trojan.Win32.Kryptik.V7fb
Alibaba	Backdoor:Win32/Tofsee.6433a11f
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HTMP
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware [Misc]
Tencent	Win32.Backdoor.Tofsee.Uimw
McAfee-GW-Edition	Artemis
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Krypt
ZoneAlarm	HEUR:Backdoor.Win32.Tofsee.gen
Microsoft	Trojan:Win32/Casdet!rfn
Google	Detected
McAfee	Artemis!8589FE09A6AD
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DED23
Rising	Trojan.Generic@AI.100 (RDML://at723IiFFBuV4ByF7PWA)
Fortinet	W32/Kryptik.HTMP!tr
AVG	FileRepMalware [Misc]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

ProtonVPN_v3.0.5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All