Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 25, 2023, 6:48 p.m.	July 25, 2023, 6:50 p.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e1f944688e00a6753e1dfa4e5d8a7670`
SHA256	`2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9`
CRC32	`3217CF81`
ssdeep	`24576:V5KrtzH/iYOdy9HQUtiImGqPPUPJp6XdCGQV3JfIR:CrxH/iYV9VeGqPPsT6UvrQR`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

scania54646.exe "C:\Users\test22\AppData\Local\Temp\scania54646.exe"
840
- scania54646.exe "C:\Users\test22\AppData\Local\Temp\scania54646.exe"
  2504
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\GLqLto.exe"
    2096
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLqLto" /XML "C:\Users\test22\AppData\Local\Temp\tmpC8B5.tmp"
    2324
- chrome.exe "C:\Users\test22\AppData\Local\Temp\chrome.exe"
  2596
  - chrome.exe "C:\Users\test22\AppData\Local\Temp\chrome.exe"
    2956
  - cmd.exe "cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost"
    2812
  - cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
    2852
    - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
      2460
  - cmd.exe "cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\chrome.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"
    1656
- cmd.exe "cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\chrome"
  2640
- cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f
  2712
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f
    2768
- cmd.exe "cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\scania54646.exe" "C:\Users\test22\AppData\Roaming\chrome\chrome.exe"
  2816

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (9 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2023, 5:53 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:53 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\GLqLto. console_handle: 0x00000053	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: exe console_handle: 0x0000005f	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 25, 2023, 5:54 p.m.	buffer: SUCCESS: The scheduled task "Updates\GLqLto" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058ae58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058af98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058af98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058af98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058a798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058a798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058a798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058a798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058a798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058a798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058af98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058af98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058af98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b518 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2023, 5:53 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 227 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02270000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00832000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00865000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0086b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00867000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0084c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00856000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00857000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:53 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0083a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0237f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0084a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0084d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\chrome.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (12 events)

cmdline	"cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\scania54646.exe" "C:\Users\test22\AppData\Roaming\chrome\chrome.exe"
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f
cmdline	"cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\chrome"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\GLqLto.exe"
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost"
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\GLqLto.exe"
cmdline	schtasks.exe /Create /TN "Updates\GLqLto" /XML "C:\Users\test22\AppData\Local\Temp\tmpC8B5.tmp"
cmdline	"cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\chrome.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLqLto" /XML "C:\Users\test22\AppData\Local\Temp\tmpC8B5.tmp"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\chrome.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\chrome.exe

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2644 thread_handle: 0x00000430 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\chrome" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003f0	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2716 thread_handle: 0x00000430 process_identifier: 2712 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000458	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2820 thread_handle: 0x00000430 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\scania54646.exe" "C:\Users\test22\AppData\Roaming\chrome\chrome.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000460	1	1
ShellExecuteExW July 25, 2023, 5:54 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\GLqLto.exe" filepath: powershell	1	1
ShellExecuteExW July 25, 2023, 5:54 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\GLqLto" /XML "C:\Users\test22\AppData\Local\Temp\tmpC8B5.tmp" filepath: schtasks.exe	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2808 thread_handle: 0x00000334 process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000340	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2580 thread_handle: 0x00000334 process_identifier: 2852 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000034c	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 1780 thread_handle: 0x00000334 process_identifier: 1656 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\chrome.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000350	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 25, 2023, 5:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 25, 2023, 5:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (15 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (10 events)

Time & API	Arguments	Status
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 1608 process_handle: 0x000003e8
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 1608 process_handle: 0x000003e8	1
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2120 process_handle: 0x000003f0
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2120 process_handle: 0x000003f0	1
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2536 process_handle: 0x000003f8
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2536 process_handle: 0x000003f8	1
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2624 process_handle: 0x00000404
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2624 process_handle: 0x00000404	1
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2700 process_handle: 0x0000040c
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2700 process_handle: 0x0000040c	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f
cmdline	"cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\chrome"
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost"
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f
cmdline	schtasks.exe /Create /TN "Updates\GLqLto" /XML "C:\Users\test22\AppData\Local\Temp\tmpC8B5.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLqLto" /XML "C:\Users\test22\AppData\Local\Temp\tmpC8B5.tmp"

Allocates execute permission to another process indicative of possible code injection (8 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 1015808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c		3221225496
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 1015808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1608 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e0		3221225496
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2120 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4		3221225496
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2536 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec		3221225496
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2624 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f4		3221225496
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2700 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003fc		3221225496
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2956 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0

Installs itself for autorun at Windows startup (4 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f

Manipulates memory of a non-child process indicative of process injection (10 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2504 manipulating memory of non-child process 1608
Process injection	Process 2504 manipulating memory of non-child process 2120
Process injection	Process 2504 manipulating memory of non-child process 2536
Process injection	Process 2504 manipulating memory of non-child process 2624
Process injection	Process 2504 manipulating memory of non-child process 2700
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1608 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e0	3221225496	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2120 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4	3221225496	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2536 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	3221225496	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2624 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f4	3221225496	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2700 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003fc	3221225496	0

Potential code injection by writing to the memory of another process (7 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥¶dà0V% @@ @%O@¬`È½T H.text\ `.rsrc¬@@@.reloc`@B base_address: 0x001d0000 process_identifier: 2504 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: P8h¬@4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments4 CompanyNameMicrosoft< FileDescriptionInterface0FileVersion1.0.0.02 InternalNameuxpY.exeHLegalCopyrightCopyright © 2017*LegalTrademarks: OriginalFilenameuxpY.exe4 ProductNameInterface4ProductVersion1.0.0.08Assembly Version1.0.0.0¼Cêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x002c4000 process_identifier: 2504 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: X5 base_address: 0x002c6000 process_identifier: 2504 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²X`à þ= @@ .@¤=W@¸ ` H.text `.rsrc¸ @"@@.reloc`0@B base_address: 0x00400000 process_identifier: 2956 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: 0> base_address: 0x00416000 process_identifier: 2956 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2956 process_handle: 0x0000027c	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥¶dà0V% @@ @%O@¬`È½T H.text\ `.rsrc¬@@@.reloc`@B base_address: 0x001d0000 process_identifier: 2504 process_handle: 0x0000027c	1	1	0
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL²X`à þ= @@ .@¤=W@¸ ` H.text `.rsrc¸ @"@@.reloc`0@B base_address: 0x00400000 process_identifier: 2956 process_handle: 0x0000027c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 840 called NtSetContextThread to modify thread in remote process 2504
Process injection	Process 2596 called NtSetContextThread to modify thread in remote process 2956
NtSetContextThread July 25, 2023, 5:54 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5186902 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 2504	1	0	0
NtSetContextThread July 25, 2023, 5:54 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4210174 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 2956	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	chrome.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\chrome.exe"
parent_process	chrome.exe	martian_process	"cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\chrome.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"
parent_process	chrome.exe	martian_process	"cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost"
parent_process	chrome.exe	martian_process	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 840 resumed a thread in remote process 2504
Process injection	Process 2596 resumed a thread in remote process 2956
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2504	1	0	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2956	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 70 events)

Time & API	Arguments	Status	Return
NtResumeThread July 25, 2023, 5:53 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 840	1	0
NtResumeThread July 25, 2023, 5:53 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 840	1	0
NtResumeThread July 25, 2023, 5:53 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 840	1	0
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2508 thread_handle: 0x00000278 process_identifier: 2504 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\scania54646.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\scania54646.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\scania54646.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000278	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 1015808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c		3221225496
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2504 region_size: 1015808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥¶dà0V% @@ @%O@¬`È½T H.text\ `.rsrc¬@@@.reloc`@B base_address: 0x001d0000 process_identifier: 2504 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: base_address: 0x001d2000 process_identifier: 2504 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: P8h¬@4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments4 CompanyNameMicrosoft< FileDescriptionInterface0FileVersion1.0.0.02 InternalNameuxpY.exeHLegalCopyrightCopyright © 2017*LegalTrademarks: OriginalFilenameuxpY.exe4 ProductNameInterface4ProductVersion1.0.0.08Assembly Version1.0.0.0¼Cêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x002c4000 process_identifier: 2504 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: X5 base_address: 0x002c6000 process_identifier: 2504 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x0000027c	1	1
NtSetContextThread July 25, 2023, 5:54 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5186902 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 2504	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 840	1	0
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2600 thread_handle: 0x00000458 process_identifier: 2596 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\chrome.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\chrome.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\chrome.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000460	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2644 thread_handle: 0x00000430 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\chrome" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003f0	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2716 thread_handle: 0x00000430 process_identifier: 2712 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\chrome\chrome.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000458	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2820 thread_handle: 0x00000430 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\scania54646.exe" "C:\Users\test22\AppData\Roaming\chrome\chrome.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000460	1	1
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2504	1	0
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2504	1	0
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2100 thread_handle: 0x000003c8 process_identifier: 2096 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\GLqLto.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2360 thread_handle: 0x00000388 process_identifier: 2324 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLqLto" /XML "C:\Users\test22\AppData\Local\Temp\tmpC8B5.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 1228 thread_handle: 0x0000037c process_identifier: 1608 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\scania54646.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\scania54646.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003e0	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x0000037c	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1608 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e0		3221225496
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2380 thread_handle: 0x000003e8 process_identifier: 2120 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\scania54646.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\scania54646.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003e4	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000003e8	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2120 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4		3221225496
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2556 thread_handle: 0x000003f0 process_identifier: 2536 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\scania54646.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\scania54646.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003ec	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000003f0	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2536 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec		3221225496
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2664 thread_handle: 0x000003f8 process_identifier: 2624 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\scania54646.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\scania54646.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003f4	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000003f8	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2624 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f4		3221225496
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2732 thread_handle: 0x00000404 process_identifier: 2700 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\scania54646.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\scania54646.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003fc	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000404	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2700 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003fc		3221225496
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 2596	1	0
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2960 thread_handle: 0x00000278 process_identifier: 2956 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\chrome.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\chrome.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\chrome.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000278	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2956 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.Common.8AF26399
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Gen:Variant.Ransom.Loki.8883
FireEye	Generic.mg.e1f944688e00a675
CAT-QuickHeal	Trojan.Generic
McAfee	Artemis!E1F944688E00
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0059e0d61 )
Alibaba	Trojan:MSIL/Kryptik.a3e94953
K7GW	Trojan ( 0059e0d61 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Ransom.Loki.D22B3
BitDefenderTheta	Gen:NN.ZemsilF.36318.@o0@aeioY!gG
Cyren	W32/MSIL_Kryptik.JLT.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AHUA
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Ransom.Loki.8883
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13ea6029
Emsisoft	Gen:Variant.Ransom.Loki.8883 (B)
F-Secure	Heuristic.HEUR/AGEN.1307491
DrWeb	Trojan.Inject4.59235
VIPRE	Gen:Variant.Ransom.Loki.8883
TrendMicro	TrojanSpy.Win32.REDLINE.YXDGTZ
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1307491
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	Trojan:Win32/Leonem
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Ransom.Loki.8883
Google	Detected
Acronis	suspicious
VBA32	TScope.Trojan.MSIL
ALYac	Gen:Variant.Ransom.Loki.8883
MAX	malware (ai score=85)
Malwarebytes	Trojan.Crypt.MSIL
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDGTZ
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:+dYExi2SB/FxzIwdwHQe2Q)
Yandex	Trojan.Agent!J+b6f+q1M+g
Ikarus	Trojan.MSIL.Crypt
Fortinet	MSIL/Kryptik.AHBB!tr
AVG	Win32:PWSX-gen [Trj]

scania54646.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All