Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 5, 2023, 2:31 p.m.	July 5, 2023, 2:36 p.m.

Size	2.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5a5ad5743da1c888bf3b54ccc3e34ff5`
SHA256	`fd17fd333847a2bd4da021b63728f87f44997631fbc76c7f25088b5c04eddd98`
CRC32	`E917221D`
ssdeep	`49152:uqe3f6F+bs8IuWKNIl8IKpKyGXNaPzU3+zOAbL8SffPMWrQ0Zk+:fSiszIZKuKpKyYeDPnPcMZ`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

5a5ad5743da1c888bf3b54ccc3e34ff5_SmartbridgeLauncherInstaller_7.exe "C:\Users\test22\AppData\Local\Temp\5a5ad5743da1c888bf3b54ccc3e34ff5_SmartbridgeLauncherInstaller_7.exe"
2564
- 5a5ad5743da1c888bf3b54ccc3e34ff5_SmartbridgeLauncherInstaller_7.tmp "C:\Users\test22\AppData\Local\Temp\is-TCEFR.tmp\5a5ad5743da1c888bf3b54ccc3e34ff5_SmartbridgeLauncherInstaller_7.tmp" /SL5="$80178,2209008,831488,C:\Users\test22\AppData\Local\Temp\5a5ad5743da1c888bf3b54ccc3e34ff5_SmartbridgeLauncherInstaller_7.exe"
  2640
  - taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im SmartBridgeLauncher.exe
    2744
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn SmartBridgeLauncher /f
    2892
  - ndp48-web.exe "C:\Users\test22\AppData\Local\Temp\is-8JDV0.tmp\ndp48-web.exe" /q /norestart
    2956
    - Setup.exe C:\8e051fc3d4265a89f50407ff5a05bb\\Setup.exe /q /norestart /x86 /x64 /web
      3016
      - SetupUtility.exe SetupUtility.exe /aupause
        1484
      - SetupUtility.exe SetupUtility.exe /screboot
        2256
      - TMP31DE.tmp.exe TMP31DE.tmp.exe /Q /X:C:\8e051fc3d4265a89f50407ff5a05bb\TMP31DE.tmp.exe.tmp
        2476
      - Dism.exe dism.exe /quiet /norestart /online /add-package /packagepath:"C:\8e051fc3d4265a89f50407ff5a05bb\Windows6.1-KB4019990-x64.cab"
        2144
        
        DismHost.exe C:\Users\test22\AppData\Local\Temp\8012A897-09B9-4BBB-939F-6ABD85C125A6\dismhost.exe {397EE62C-54E1-4BA2-975D-8A5F96B70ECC}
        1364
      - SetupUtility.exe SetupUtility.exe /msureboot 528403
        1928
      - SetupUtility.exe SetupUtility.exe /auresume
        2180
      - NDP48-x86-x64-AllOS-KOR.exe NDP48-x86-x64-AllOS-KOR.exe /q /x86 /x64 /norestart /skipenucheck /keepaupaused /chainingpackage "Microsoft .NET Framework 4.8" /pipe SectionName_2328874451 /log "C:\Users\test22\AppData\Local\Temp"
        2852
        
        Setup.exe C:\544756739cb65cb612c2d6c6e1\\Setup.exe /q /x86 /x64 /norestart /skipenucheck /keepaupaused /chainingpackage "Microsoft .NET Framework 4.8" /pipe SectionName_2328874451 /log "C:\Users\test22\AppData\Local\Temp" /x86 /x64 /lcid 1042 /lpredist
        1616
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.microsoft.com	A 23.39.217.133 CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net CNAME e13678.dscb.akamaiedge.net	23.200.154.12
download.visualstudio.microsoft.com	CNAME cs10.wpc.v0cdn.net CNAME visualstudio.download.prss.trafficmanager.net CNAME 4316b.wpc.azureedge.net A 192.229.232.200	192.229.232.200

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.229.232.200	Active	Moloch
23.39.217.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49177 -> 192.229.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49177 192.229.232.200:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=*.vo.msecnd.net	0e:7d:a8:cd:fe:61:1e:46:97:a3:57:99:70:da:e0:59:1d:34:04:80

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 5, 2023, 2:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 2:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 2:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 2:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 2:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 2:34 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 5, 2023, 2:31 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 5, 2023, 2:31 p.m.	buffer: ERROR: The process "SmartBridgeLauncher.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW July 5, 2023, 2:31 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW July 5, 2023, 2:31 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 5, 2023, 2:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (31 events)

request	GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
request	GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
request	GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
request	HEAD http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=amd64&o1=netfx_Full.mzz
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=amd64&o1=netfx_Full.mzz
request	GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
request	HEAD http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=amd64&o1=netfx_Full_x64.msi
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=amd64&o1=netfx_Full_x64.msi
request	GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
request	HEAD http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=04115.00&sar=amd64&o1=netfx_Patch_x64.msp
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=04115.00&sar=amd64&o1=netfx_Patch_x64.msp
request	HEAD http://go.microsoft.com/fwlink/?LinkId=862008
request	GET http://go.microsoft.com/fwlink/?LinkId=862008
request	HEAD http://go.microsoft.com/fwlink/?LinkId=249120&clcid=0x409
request	GET http://go.microsoft.com/fwlink/?LinkId=249120&clcid=0x409
request	HEAD http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x412&ar=03761.00&sar=amd64&o1=NDP48-x86-x64-AllOS-KOR.exe
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x412&ar=03761.00&sar=amd64&o1=NDP48-x86-x64-AllOS-KOR.exe
request	HEAD https://download.visualstudio.microsoft.com/download/pr/7afca223-55d2-470a-8edc-6a1739ae3252/f3ce41d8623e237d717257d9ae4cec5f/netfx_full_cab.exe
request	GET https://download.visualstudio.microsoft.com/download/pr/7afca223-55d2-470a-8edc-6a1739ae3252/f3ce41d8623e237d717257d9ae4cec5f/netfx_full_cab.exe
request	HEAD https://download.visualstudio.microsoft.com/download/pr/9acd2157-dc1e-41fc-9f4d-35d56fc49f6b/c84b7777456bf0dc89c15571ffdb8e49/netfx_full_x64.msi
request	GET https://download.visualstudio.microsoft.com/download/pr/9acd2157-dc1e-41fc-9f4d-35d56fc49f6b/c84b7777456bf0dc89c15571ffdb8e49/netfx_full_x64.msi
request	HEAD https://download.visualstudio.microsoft.com/download/pr/2d6bb6b2-226a-4baa-bdec-798822606ff1/55e5b1321b16ab92f5e8fd2ea9169147/netfx_patch_x64.msp
request	GET https://download.visualstudio.microsoft.com/download/pr/2d6bb6b2-226a-4baa-bdec-798822606ff1/55e5b1321b16ab92f5e8fd2ea9169147/netfx_patch_x64.msp
request	HEAD https://download.visualstudio.microsoft.com/download/pr/887938c3-2a46-4069-a0b1-207035f1dd82/f0771dabc43ba46cfe9e3481840a7944/windows6.1-kb4019990-x64.cab
request	GET https://download.visualstudio.microsoft.com/download/pr/887938c3-2a46-4069-a0b1-207035f1dd82/f0771dabc43ba46cfe9e3481840a7944/windows6.1-kb4019990-x64.cab
request	HEAD https://download.visualstudio.microsoft.com/download/pr/375f6a02-34bc-4b7d-ad8b-957789cf81e8/e4abafc291524af6e2b478f5d4857f0a/netfx_full_x64.msi
request	GET https://download.visualstudio.microsoft.com/download/pr/375f6a02-34bc-4b7d-ad8b-957789cf81e8/e4abafc291524af6e2b478f5d4857f0a/netfx_full_x64.msi
request	HEAD https://download.visualstudio.microsoft.com/download/pr/c2ad65ab-bab3-4d24-ada4-aaf2ff0c1266/2a3f786c480c1122ff3696ba1ad9564b/ndp48-x86-x64-allos-kor.exe
request	GET https://download.visualstudio.microsoft.com/download/pr/c2ad65ab-bab3-4d24-ada4-aaf2ff0c1266/2a3f786c480c1122ff3696ba1ad9564b/ndp48-x86-x64-allos-kor.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73430000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73430000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74631000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74141000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72981000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72961000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 2:25 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73430000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 2:31 p.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (2 events)

description	Setup.exe tried to sleep 196 seconds, actually delayed analysis time by 196 seconds
description	explorer.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW July 5, 2023, 2:31 p.m.	total_number_of_free_bytes: 13313429504 free_bytes_available: 13313429504 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW July 5, 2023, 2:31 p.m.	total_number_of_free_bytes: 13302411264 free_bytes_available: 13302411264 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW July 5, 2023, 2:31 p.m.	total_number_of_free_bytes: 13301329920 free_bytes_available: 13301329920 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW July 5, 2023, 2:34 p.m.	total_number_of_free_bytes: 12585361408 free_bytes_available: 12585361408 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW July 5, 2023, 2:34 p.m.	total_number_of_free_bytes: 12538884096 free_bytes_available: 12538884096 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW July 5, 2023, 2:34 p.m.	total_number_of_free_bytes: 12538425344 free_bytes_available: 12538425344 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (39 events)

file	C:\8e051fc3d4265a89f50407ff5a05bb\Setup.exe
file	C:\8e051fc3d4265a89f50407ff5a05bb\1041\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1046\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\SetupEngine.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\TMP31DE.tmp.exe.tmp\netfx_fullcab.msi
file	C:\8e051fc3d4265a89f50407ff5a05bb\1036\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1042\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1053\SetupResources.dll
file	C:\544756739cb65cb612c2d6c6e1\1033\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1040\SetupResources.dll
file	C:\544756739cb65cb612c2d6c6e1\sqmapi.dll
file	C:\544756739cb65cb612c2d6c6e1\SetupEngine.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1029\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1035\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1030\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\sqmapi.dll
file	C:\544756739cb65cb612c2d6c6e1\SetupUtility.exe
file	C:\8e051fc3d4265a89f50407ff5a05bb\1049\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1043\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe
file	C:\8e051fc3d4265a89f50407ff5a05bb\1033\SetupResources.dll
file	C:\544756739cb65cb612c2d6c6e1\1042\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1028\SetupResources.dll
file	C:\544756739cb65cb612c2d6c6e1\SetupUi.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\3082\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1025\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1055\SetupResources.dll
file	C:\544756739cb65cb612c2d6c6e1\Setup.exe
file	C:\8e051fc3d4265a89f50407ff5a05bb\2052\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1044\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\SetupUi.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1038\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1037\SetupResources.dll
file	C:\544756739cb65cb612c2d6c6e1\netfx_FullLP_x86.msi
file	C:\8e051fc3d4265a89f50407ff5a05bb\1032\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1045\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1031\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\2070\SetupResources.dll
file	C:\544756739cb65cb612c2d6c6e1\netfx_FullLP_x64.msi

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /delete /tn SmartBridgeLauncher /f
cmdline	schtasks /delete /tn SmartBridgeLauncher /f

Drops a binary and executes it (3 events)

file	C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe
file	C:\8e051fc3d4265a89f50407ff5a05bb\TMP31DE.tmp.exe
file	C:\8e051fc3d4265a89f50407ff5a05bb\NDP48-x86-x64-AllOS-KOR.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-8JDV0.tmp\ndp48-web.exe
file	C:\Users\test22\AppData\Local\Temp\is-TCEFR.tmp\5a5ad5743da1c888bf3b54ccc3e34ff5_SmartbridgeLauncherInstaller_7.tmp

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SmartBridgeLauncher.exe")

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 5, 2023, 2:31 p.m.	show_type: 0 filepath_r: taskkill.exe parameters: /f /im SmartBridgeLauncher.exe filepath: taskkill.exe	1	1
ShellExecuteExW July 5, 2023, 2:31 p.m.	show_type: 0 filepath_r: schtasks parameters: /delete /tn SmartBridgeLauncher /f filepath: schtasks	1	1
CreateProcessInternalW July 5, 2023, 2:31 p.m.	thread_identifier: 1264 thread_handle: 0x000003c4 process_identifier: 1484 current_directory: C:\8e051fc3d4265a89f50407ff5a05bb filepath: C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe track: 1 command_line: SetupUtility.exe /aupause filepath_r: C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000046c	1	1
CreateProcessInternalW July 5, 2023, 2:31 p.m.	thread_identifier: 2252 thread_handle: 0x00000490 process_identifier: 2256 current_directory: C:\8e051fc3d4265a89f50407ff5a05bb filepath: C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe track: 1 command_line: SetupUtility.exe /screboot filepath_r: C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000494	1	1
CreateProcessInternalW July 5, 2023, 2:31 p.m.	thread_identifier: 2480 thread_handle: 0x00000468 process_identifier: 2476 current_directory: C:\8e051fc3d4265a89f50407ff5a05bb filepath: C:\8e051fc3d4265a89f50407ff5a05bb\TMP31DE.tmp.exe track: 1 command_line: TMP31DE.tmp.exe /Q /X:C:\8e051fc3d4265a89f50407ff5a05bb\TMP31DE.tmp.exe.tmp filepath_r: C:\8e051fc3d4265a89f50407ff5a05bb\TMP31DE.tmp.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003d4	1	1
CreateProcessInternalW July 5, 2023, 2:34 p.m.	thread_identifier: 1504 thread_handle: 0x00000490 process_identifier: 2144 current_directory: C:\Windows\sysnative filepath: C:\Windows\sysnative\Dism.exe track: 1 command_line: dism.exe /quiet /norestart /online /add-package /packagepath:"C:\8e051fc3d4265a89f50407ff5a05bb\Windows6.1-KB4019990-x64.cab" filepath_r: C:\Windows\sysnative\dism.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000544	1	1
CreateProcessInternalW July 5, 2023, 2:34 p.m.	thread_identifier: 1852 thread_handle: 0x00000490 process_identifier: 1928 current_directory: C:\8e051fc3d4265a89f50407ff5a05bb filepath: C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe track: 1 command_line: SetupUtility.exe /msureboot 528403 filepath_r: C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000544	1	1
CreateProcessInternalW July 5, 2023, 2:34 p.m.	thread_identifier: 1040 thread_handle: 0x00000490 process_identifier: 2180 current_directory: C:\8e051fc3d4265a89f50407ff5a05bb filepath: C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe track: 1 command_line: SetupUtility.exe /auresume filepath_r: C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000544	1	1
CreateProcessInternalW July 5, 2023, 2:34 p.m.	thread_identifier: 1948 thread_handle: 0x0000053c process_identifier: 2852 current_directory: C:\8e051fc3d4265a89f50407ff5a05bb filepath: C:\8e051fc3d4265a89f50407ff5a05bb\NDP48-x86-x64-AllOS-KOR.exe track: 1 command_line: NDP48-x86-x64-AllOS-KOR.exe /q /x86 /x64 /norestart /skipenucheck /keepaupaused /chainingpackage "Microsoft .NET Framework 4.8" /pipe SectionName_2328874451 /log "C:\Users\test22\AppData\Local\Temp" filepath_r: C:\8e051fc3d4265a89f50407ff5a05bb\NDP48-x86-x64-AllOS-KOR.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000550	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (17 events)

Time & API	Arguments	Status	Return
Process32NextW July 5, 2023, 2:31 p.m.	snapshot_handle: 0x00000138 process_name: mobsync.exe process_identifier: 2288	1	1
Process32NextW July 5, 2023, 2:31 p.m.	snapshot_handle: 0x00000138 process_name: pw.exe process_identifier: 2332	1	1
Process32NextW July 5, 2023, 2:31 p.m.	snapshot_handle: 0x00000138 process_name: 5a5ad5743da1c888bf3b54ccc3e34ff5_SmartbridgeLauncherInstaller_7.tmp process_identifier: 2640	1	1
Process32NextW July 5, 2023, 2:31 p.m.	snapshot_handle: 0x00000138 process_name: WmiPrvSE.exe process_identifier: 2832	1	1
Process32NextW July 5, 2023, 2:31 p.m.	snapshot_handle: 0x00000138 process_name: Setup.exe process_identifier: 3016	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: svchost.exe process_identifier: 2088	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: taskhost.exe process_identifier: 828	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: WmiPrvSE.exe process_identifier: 2600	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: mscorsvw.exe process_identifier: 300	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: mscorsvw.exe process_identifier: 1528	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: SearchProtocolHost.exe process_identifier: 2392	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: SearchFilterHost.exe process_identifier: 1268	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: TrustedInstaller.exe process_identifier: 2396	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: VSSVC.exe process_identifier: 2976	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: svchost.exe process_identifier: 2372	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: NDP48-x86-x64-AllOS-KOR.exe process_identifier: 2852	1	1
Process32NextW July 5, 2023, 2:34 p.m.	snapshot_handle: 0x000001d0 process_name: Setup.exe process_identifier: 1616	1	1

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Sophos

Generic ML PUA (PUA)

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 5, 2023, 2:31 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (42 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:31 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW July 5, 2023, 2:34 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Expresses interest in specific running processes (3 events)

process	setup.exe
process	ndp48-web.exe
process	ndp48-x86-x64-allos-kor.exe

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExW July 5, 2023, 2:31 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5CB47E5E-57EC-4EA4-95F2-D5D8B0719744}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5CB47E5E-57EC-4EA4-95F2-D5D8B0719744}_is1	2
RegOpenKeyExW July 5, 2023, 2:34 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5CB47E5E-57EC-4EA4-95F2-D5D8B0719744}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5CB47E5E-57EC-4EA4-95F2-D5D8B0719744}_is1	2
RegOpenKeyExW July 5, 2023, 2:34 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5CB47E5E-57EC-4EA4-95F2-D5D8B0719744}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5CB47E5E-57EC-4EA4-95F2-D5D8B0719744}_is1	2
RegOpenKeyExW July 5, 2023, 2:34 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5CB47E5E-57EC-4EA4-95F2-D5D8B0719744}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5CB47E5E-57EC-4EA4-95F2-D5D8B0719744}_is1	2

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	NDP48-x86-x64-AllOS-KOR.exe /q /x86 /x64 /norestart /skipenucheck /keepaupaused /chainingpackage "Microsoft .NET Framework 4.8" /pipe SectionName_2328874451 /log "C:\Users\test22\AppData\Local\Temp"
cmdline	C:\544756739cb65cb612c2d6c6e1\\Setup.exe /q /x86 /x64 /norestart /skipenucheck /keepaupaused /chainingpackage "Microsoft .NET Framework 4.8" /pipe SectionName_2328874451 /log "C:\Users\test22\AppData\Local\Temp" /x86 /x64 /lcid 1042 /lpredist
cmdline	taskkill.exe /f /im SmartBridgeLauncher.exe
cmdline	"C:\Windows\System32\schtasks.exe" /delete /tn SmartBridgeLauncher /f
cmdline	schtasks /delete /tn SmartBridgeLauncher /f
cmdline	"C:\Windows\System32\taskkill.exe" /f /im SmartBridgeLauncher.exe

One or more of the buffers contains an embedded PE file (8 events)

buffer	Buffer with sha1: f0d9ee317bff2816035b8c4f3a022bdfb302d512
buffer	Buffer with sha1: abbe3ebbe58aba6f48e8ddbd2f53bd2703dff7a6
buffer	Buffer with sha1: 3579f70d86fb83a0b61c80dcb84b189c66287a21
buffer	Buffer with sha1: bcec98da2f558d4cc0efda3633ca7f32dc891113
buffer	Buffer with sha1: f8fc9041365eadb9ec289a307f5e5e9c948e11bd
buffer	Buffer with sha1: cb211eb831ca06d2929d3a5eb5b35e7dd7a0165a
buffer	Buffer with sha1: 6ce0c0cea7083d1cfeaad590c755b2b736c48d8a
buffer	Buffer with sha1: c1c79085446051e37080207f9dc2acd63e6198eb

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService July 5, 2023, 2:34 p.m.	service_handle: 0x03279988 service_name: MSIServer control_code: 1	1	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SmartBridgeLauncher

reg_value

C:\Users\test22\AppData\Roaming\Smartbridge\SmartBridgeLauncher.exe

Attempts to create or modify system certificates (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 179 events)

file	C:\Users\test22\AppData\Local\Temp\HFIB673.tmp.html
file	C:\Users\test22\AppData\Local\Temp\HFIB672.tmp
file	C:\Users\test22\AppData\Local\Temp\HFIB673.tmp
file	C:\Users\test22\AppData\Local\Temp\HFIAD29.tmp
file	C:\544756739cb65cb612c2d6c6e1\HFIB652.tmp
file	C:\8e051fc3d4265a89f50407ff5a05bb\1041\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1046\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1049\LocalizedData.xml
file	C:\8e051fc3d4265a89f50407ff5a05bb\1032\LocalizedData.xml
file	C:\8e051fc3d4265a89f50407ff5a05bb\Graphics\Rotate9.ico
file	C:\8e051fc3d4265a89f50407ff5a05bb\1029\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\SplashScreen.bmp
file	C:\8e051fc3d4265a89f50407ff5a05bb\Graphics\Save.ico
file	C:\8e051fc3d4265a89f50407ff5a05bb\NetFx45\netfx_Full_x64.msi
file	C:\8e051fc3d4265a89f50407ff5a05bb\DisplayIcon.ico
file	C:\8e051fc3d4265a89f50407ff5a05bb\1025\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\1030\LocalizedData.xml
file	C:\8e051fc3d4265a89f50407ff5a05bb\1031\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\Graphics\Setup.ico
file	C:\8e051fc3d4265a89f50407ff5a05bb\1028\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\1043\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1028\LocalizedData.xml
file	C:\8e051fc3d4265a89f50407ff5a05bb\1046\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\NDP48-x86-x64-AllOS-KOR.exe
file	C:\8e051fc3d4265a89f50407ff5a05bb\1049\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\1025\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1055\LocalizedData.xml
file	C:\8e051fc3d4265a89f50407ff5a05bb\SetupUi.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1038\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1035\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\1029\LocalizedData.xml
file	C:\8e051fc3d4265a89f50407ff5a05bb\1030\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\1036\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\1040\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\SetupEngine.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1044\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\SetupUi.xsd
file	C:\8e051fc3d4265a89f50407ff5a05bb\Windows6.1-KB4019990-x64.cab
file	C:\8e051fc3d4265a89f50407ff5a05bb\1025\LocalizedData.xml
file	C:\8e051fc3d4265a89f50407ff5a05bb\Graphics\Rotate3.ico
file	C:\8e051fc3d4265a89f50407ff5a05bb\Graphics\stop.ico
file	C:\8e051fc3d4265a89f50407ff5a05bb\1032\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1035\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1030\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\1044\LocalizedData.xml
file	C:\8e051fc3d4265a89f50407ff5a05bb\Graphics\Rotate10.ico
file	C:\8e051fc3d4265a89f50407ff5a05bb\SetupUtility.exe
file	C:\8e051fc3d4265a89f50407ff5a05bb\1041\eula.rtf
file	C:\8e051fc3d4265a89f50407ff5a05bb\1028\SetupResources.dll
file	C:\8e051fc3d4265a89f50407ff5a05bb\2070\SetupResources.dll

5a5ad5743da1c888bf3b54ccc3e34ff5_SmartbridgeLauncherInstaller_7.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All