Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 3, 2023, 6:09 p.m.	Nov. 3, 2023, 6:13 p.m.

Size	12.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0bddfbdc76418c7fc877a5a11013dfee`
SHA256	`54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc`
CRC32	`B0A6FBF4`
ssdeep	`393216:WNSzrdr/NAWCPVvZj7zQk/psYFHwlya3VQ:ISzrdZwVBjHQUHw53VQ`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

latestrock.exe "C:\Users\test22\AppData\Local\Temp\latestrock.exe"
2080
- InstallSetup5.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe"
  2184
  - Broom.exe C:\Users\test22\AppData\Local\Temp\Broom.exe
    2376
- toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
  2232
  - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
    2756
- 31839b57a4f11171d6abc8bbc4451ee4.exe "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2284
- kos4.exe "C:\Users\test22\AppData\Local\Temp\kos4.exe"
  2336
- latestX.exe "C:\Users\test22\AppData\Local\Temp\latestX.exe"
  2428

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93

IP Address	Status	Action
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 148.251.234.93:443 -> 192.168.56.103:49538	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49538 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49538 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49174 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49546	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49540	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49546 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49546 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49540 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49540 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49548	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49543	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49548 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49548 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49543 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49543 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49551	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49544	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49551 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49551 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49544 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49544 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49552	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49552 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49552 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49247	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49247 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49247 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49547	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49547 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49547 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49550	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49550 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49550 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 148.251.234.93:443 -> 192.168.56.103:49549	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49549 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49549 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49220 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49220 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49541	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49541 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49541 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49542	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49542 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49542 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49545	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49545 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49545 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 3, 2023, 6:09 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:09 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:02 p.m.			0	0
IsDebuggerPresent Nov. 3, 2023, 6:02 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2023, 6:09 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 66 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:09 p.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 77824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008fe000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 2232 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 2284 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c3b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ed6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:02 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 3, 2023, 6:03 p.m.	process_identifier: 2336 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 3, 2023, 6:10 p.m.	total_number_of_free_bytes: 9903902720 free_bytes_available: 9903902720 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 3, 2023, 6:10 p.m.	total_number_of_free_bytes: 9913618432 free_bytes_available: 9913618432 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 3, 2023, 6:10 p.m.	total_number_of_free_bytes: 9997942784 free_bytes_available: 9997942784 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 3, 2023, 6:10 p.m.	total_number_of_free_bytes: 9997942784 free_bytes_available: 9997942784 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 3, 2023, 6:10 p.m.	total_number_of_free_bytes: 9997938688 free_bytes_available: 9997938688 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 3, 2023, 6:10 p.m.	total_number_of_free_bytes: 10014158848 free_bytes_available: 10014158848 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 3, 2023, 6:10 p.m.	total_number_of_free_bytes: 10014158848 free_bytes_available: 10014158848 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 3, 2023, 6:10 p.m.	total_number_of_free_bytes: 10014158848 free_bytes_available: 10014158848 root_path: C: total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\kos4.exe
file	C:\Users\test22\AppData\Local\Temp\latestX.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe

Drops a binary and executes it (5 events)

file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\kos4.exe
file	C:\Users\test22\AppData\Local\Temp\latestX.exe

Drops an executable to the user AppData folder (14 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\kos4.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\latestrock.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 3, 2023, 6:03 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00c88600', u'virtual_address': u'0x00002000', u'entropy': 7.941400031492856, u'name': u'.text', u'virtual_size': u'0x00c88594'}

entropy

7.94140003149

description

A section with a high entropy has been found

entropy

0.999844182151

description

Overall entropy of this PE file is high

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 2756 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Nov. 3, 2023, 6:12 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Nov. 3, 2023, 6:12 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\kos4.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2756 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 called NtSetContextThread to modify thread in remote process 2756
NtSetContextThread Nov. 3, 2023, 6:10 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2756	1	0	0

Drops 156 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 156 events)

file	C:\Windows\Prefetch\RUNDLL32.EXE-DE9673F9.pf
file	C:\Windows\Prefetch\PYTHON.EXE-C663CFDC.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-305B5E54.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Windows\Prefetch\THUNDERBIRD.EXE-A0DA674F.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-4F28A26F.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-D0E66F4A.pf
file	C:\Windows\Prefetch\86.0.4240.111_CHROME_INSTALLE-AF26656A.pf
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\Prefetch\SOFTWARE_REPORTER_TOOL.EXE-EB18F4FF.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\MOBSYNC.EXE-C5E2284F.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
file	C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\IEXPLORE.EXE-4B6C9213.pf
file	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\CHROME.EXE-D999B1BA.pf
file	C:\Windows\Prefetch\IMKRMIG.EXE-AAA206C5.pf
file	C:\Windows\Prefetch\UNPACK200.EXE-E4DF1A4E.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\7ZFM.EXE-22E64FB8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-B0D5C571.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-34B7EAE8.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Windows\Prefetch\AgGlFgAppHistory.db
file	C:\Windows\Prefetch\JAVAW.EXE-D0AA8787.pf
file	C:\Windows\Prefetch\SSVAGENT.EXE-0CD059B7.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\OSE.EXE-2B23CA4C.pf
file	C:\Windows\Prefetch\INSTALLER.EXE-60163557.pf
file	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
file	C:\Windows\Prefetch\PINGSENDER.EXE-8E79128B.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\AgRobust.db
file	C:\Windows\Prefetch\ICACLS.EXE-B19DE1F7.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Windows\Prefetch\GOOGLEUPDATECOMREGISTERSHELL6-BB6760AF.pf
file	C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf
file	C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf
file	C:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
file	C:\Windows\Prefetch\AgGlGlobalHistory.db

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 439 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Windows\Prefetch\SNIPPINGTOOL.EXE-EFFDAFDE.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\override[1].css
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\CVTRES.EXE-2B9D810D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Windows\Prefetch\RUNDLL32.EXE-8C11D845.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-4366A668.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\AgAppLaunch.db
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	c:\Windows\Temp\TS_7FC6.tmp
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[4].htm
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\invalidcert[1]
file	C:\Windows\Prefetch\DLLHOST.EXE-97F6A314.pf
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log
file	c:\Windows\Temp\TS_88E1.tmp
file	C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file	C:\Windows\Prefetch\JAVAWS.EXE-FE17358E.pf
file	C:\Users\test22\AppData\Local\Temp\latestrock.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\554576[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\getLoginStatus[2].nhn
file	C:\Windows\Prefetch\ELEVATION_SERVICE.EXE-9F359A74.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-B95715F5.pf
file	C:\Users\test22\AppData\Local\Temp\7zO4B1094CA\test.docx

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 resumed a thread in remote process 2756
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2756	1	0	0

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Executed a process and injected code into it, probably while unpacking (37 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2080	1	0
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2188 thread_handle: 0x0000039c process_identifier: 2184 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a4	1	1
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2080	1	0
NtGetContextThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2080	1	0
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2080	1	0
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2236 thread_handle: 0x000003b0 process_identifier: 2232 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\toolspub2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\toolspub2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003cc	1	1
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2080	1	0
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2288 thread_handle: 0x000003d0 process_identifier: 2284 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b8	1	1
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2080	1	0
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2340 thread_handle: 0x0000020c process_identifier: 2336 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\kos4.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\kos4.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\kos4.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c8	1	1
NtResumeThread Nov. 3, 2023, 6:09 p.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2080	1	0
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2432 thread_handle: 0x000003a8 process_identifier: 2428 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\latestX.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\latestX.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\latestX.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e8	1	1
CreateProcessInternalW Nov. 3, 2023, 6:09 p.m.	thread_identifier: 2380 thread_handle: 0x000001e8 process_identifier: 2376 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Broom.exe filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x000001ec	1	1
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 2760 thread_handle: 0x0000007c process_identifier: 2756 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\toolspub2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\toolspub2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Nov. 3, 2023, 6:10 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2756 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Nov. 3, 2023, 6:10 p.m.	process_identifier: 2756 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Nov. 3, 2023, 6:10 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2756 process_handle: 0x00000080	1	1
NtSetContextThread Nov. 3, 2023, 6:10 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2756	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2756	1	0
NtResumeThread Nov. 3, 2023, 6:02 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Nov. 3, 2023, 6:02 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Nov. 3, 2023, 6:02 p.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Nov. 3, 2023, 6:03 p.m.	thread_handle: 0x0000000000000324 suspend_count: 1 process_identifier: 2336	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2376	1	0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 2376	1	0
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 2376	1	0
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread Nov. 3, 2023, 6:10 p.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2376	1	0
CreateProcessInternalW Nov. 3, 2023, 6:10 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0

latestrock.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All