Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 25, 2023, 5:53 p.m.	Nov. 25, 2023, 5:57 p.m.

Size	6.2MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`d689713e2c880daf649ec894a0761274`
SHA256	`3d827e587c7f6e0fd92a866370618bd014d45c725dea96379ce641c6f75cb862`
CRC32	`4A6B05DC`
ssdeep	`196608:zy6KNPftIQbD/RB9R+27xwOP7O1Cle4ppODra:z/+fmQbDJ/B7xwO61Cle4ner`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) VMProtect_Zero - VMProtect packed file

PLmp.exe "C:\Users\test22\AppData\Local\Temp\PLmp.exe"
2556
- ljjoExaAHlxh5gOrGyTCWy1S.exe "C:\Users\test22\Pictures\Minor Policy\ljjoExaAHlxh5gOrGyTCWy1S.exe"
  2516
  - InstallSetup5.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe"
    2644
    - Broom.exe C:\Users\test22\AppData\Local\Temp\Broom.exe
      828
      - cmd.exe cmd /c rd /s /q c:\$Recycle.bin
        2772
      - cmd.exe cmd /c rd /s /q c:\$Recycle.bin
        2072
      - cmd.exe cmd /c rd /s /q c:\$Recycle.bin
        2548
      - cmd.exe cmd /c rd /s /q c:\$Recycle.bin
        1864
      - cmd.exe cmd /c rd /s /q c:\recycler
        2568
      - cmd.exe cmd /c rd /s /q c:\recycler
        2444
      - cmd.exe cmd /c rd /s /q c:\recycler
        2824
      - cmd.exe cmd /c rd /s /q c:\recycler
        2956
      - cmd.exe cmd /c rd /s /q c:\$Recycle.bin
        2560
      - cmd.exe cmd /c rd /s /q c:\recycler
        1512
      - cmd.exe cmd /c rd /s /q c:\$Recycle.bin
        2584
      - cmd.exe cmd /c rd /s /q c:\recycler
        2880
  - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
    2716
    - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
      1952
  - e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    416
  - latestX.exe "C:\Users\test22\AppData\Local\Temp\latestX.exe"
    1064
- NPzetvPn7T_J7TDudCgjrhI6.exe "C:\Users\test22\Pictures\Minor Policy\NPzetvPn7T_J7TDudCgjrhI6.exe"
  2292

Name	Response	Post-Analysis Lookup
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	172.67.75.163
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.132.78
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
ipinfo.io	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
104.26.9.59	Active	Moloch
164.124.101.2	Active	Moloch
185.172.128.69	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
87.240.129.133	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49168 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49164 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49165 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49165 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49176 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.69:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49169 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 185.172.128.69:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49175 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49177 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49165 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49172 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49164 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.101:49180 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.101:49181 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent Nov. 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent Nov. 25, 2023, 5:54 p.m.			0	0

Command line console output was observed (17 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The directory is not empty. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: c:\$Recycle.bin\S-1-5-~1\desktop.ini - console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: c:\$Recycle.bin\S-1-5-~1 - console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: c:\$Recycle.bin\S-1-5-~1 - console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 25, 2023, 5:54 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 25, 2023, 5:54 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	_RDATA
section	.vmp0
section	.vmp1
section	.vmp2

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.172.128.69/allnewumm.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.69/allnewumm.exe

Performs some HTTP requests (8 events)

request	GET http://45.15.156.229/api/tracemap.php
request	POST http://45.15.156.229/api/firegate.php
request	HEAD http://185.172.128.69/allnewumm.exe
request	GET http://185.172.128.69/allnewumm.exe
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://vk.com/doc278414724_666990616?hash=4CotYHxpQIpd56XcQZdpXEA3nXJg8jBmLdZCLDYGTM4&dl=5wzQdfHJAm42JxdCzDIp2OLxzWhsnZyAL9RzHoNviH8&api=1&no_preview=1
request	GET https://sun6-23.userapi.com/c909618/u278414724/docs/d42/29be4c51d720/tmvwr.bmp?extra=lo1JLlDudToLN88wnSMMBgylnX1wZTo7dOyVInza09welEABQpw4eL107Ew0zGWbBHSZBcWjr8Ul2BHoKLnfShpyWd-XGHjt6BGnQMXMMB9fPp0nlsR-7ZS6NAy1Lkfclpxxg_FCr-j3uBfJEA

Sends data using the HTTP POST Method (1 event)

request

POST http://45.15.156.229/api/firegate.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 371 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d82810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d83810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d84810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d85810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d86810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d87810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d88810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d89810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d90810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d91810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d92810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d93810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d94810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d95810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d96810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d97810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d98810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d99810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da3810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da4810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da5810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da6810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da7810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da8810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daa810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dab810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dac810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dad810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dae810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daf810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (14 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13257981952 free_bytes_available: 13257981952 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13338783744 free_bytes_available: 13338783744 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13381152768 free_bytes_available: 13381152768 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13385793536 free_bytes_available: 13385793536 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13472661504 free_bytes_available: 13472661504 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13474471936 free_bytes_available: 13474471936 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13474230272 free_bytes_available: 13474230272 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13474283520 free_bytes_available: 13474283520 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13476126720 free_bytes_available: 13476126720 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:54 p.m.	total_number_of_free_bytes: 13476708352 free_bytes_available: 13476708352 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:55 p.m.	total_number_of_free_bytes: 13507330048 free_bytes_available: 13507330048 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:55 p.m.	total_number_of_free_bytes: 13513310208 free_bytes_available: 13513310208 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:55 p.m.	total_number_of_free_bytes: 13513371648 free_bytes_available: 13513371648 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 25, 2023, 5:55 p.m.	total_number_of_free_bytes: 13513457664 free_bytes_available: 13513457664 root_path: C: total_number_of_bytes: 34252779520	1	1

Steals private information from local Internet browsers (20 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Roaming\Opera\Opera\global_history.dat

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00cba970

size

0x000002ac

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\latestX.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\Pictures\Minor Policy\Pu1gSQR5DimZSROTdam4pLx9.exe
file	C:\Users\test22\Pictures\Minor Policy\ljjoExaAHlxh5gOrGyTCWy1S.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\Pictures\Minor Policy\NPzetvPn7T_J7TDudCgjrhI6.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Nov. 25, 2023, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Drops an executable to the user AppData folder (8 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\allnewumm[1].exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 25, 2023, 5:47 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\ljjoExaAHlxh5gOrGyTCWy1S.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\ljjoExaAHlxh5gOrGyTCWy1S.exe	1	1	0
ShellExecuteExW Nov. 25, 2023, 5:47 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Minor Policy\NPzetvPn7T_J7TDudCgjrhI6.exe parameters: filepath: C:\Users\test22\Pictures\Minor Policy\NPzetvPn7T_J7TDudCgjrhI6.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (36 events)

Time & API	Arguments	Status	Return
Process32FirstW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: System process_identifier: 4	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: services.exe process_identifier: 444	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: pw.exe process_identifier: 988	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: taskhost.exe process_identifier: 2372	1	1
Process32NextW Nov. 25, 2023, 5:45 p.m.	snapshot_handle: 0x00000000000003b0 process_name: PLmp.exe process_identifier: 2556	1	1

An executable file was downloaded by the process plmp.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Nov. 25, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿U^eàxÄ.Ä Ä@ àÄ@àÄK ÄàÀÄ H.text4wÄ xÄ `.rsrcà ÄzÄ@@.relocÀÄÄ@BÄH,Ä´(YÄ0_~, (,( ~, (,( ~, (,( ~, (,( ~,~ èZ( ~,rprp( & 8Â~o ~ o ~o ~o (~ , (~ rp( ,( rpo (+)~ r1p( ,( rpo (( ( ( (X ~o ?.ÿÿÿ~&0/s s s o Þ ,o Üo * 0(i +i]aÒXi2ç6((+Ò0c ( ~-þs ~(+(+ + i]XX ÿ_(X 2Ø(! 0w{X ÿ_}{{{X ÿ_}{{{({{{{{X ÿ_aÒ03s (}}}þs" (+0 0rKp(# s$ o% t0ª(& o' rcp( ( (( -() o (+ ,(, ,(- `(. ~/ (0 ~o1 o2 o3 Þ/&Þ~4 (0 ~o1 o2 o3 Þ& Þ* R'y%\|%¡%00 r1p rmp(5 s6 rçpo7 rpo7 rpo7 rYpo7 s6 rcpo7 rcpo7 rcpo7 rcpo7 s6 ripo7 ripo7 ripo7 ripo7 s6 (8 o7 (8 o7 (8 o7 (8 o7 (! "(9 (! * request_handle: 0x0000000000cc0018	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00621a00', u'virtual_address': u'0x00688000', u'entropy': 7.919860337357698, u'name': u'.vmp2', u'virtual_size': u'0x00621900'}

entropy

7.91986033736

description

A section with a high entropy has been found

entropy

0.988818017167

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

plmp.exe

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

The executable is likely packed with VMProtect (3 events)

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp2	description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (2 events)

host	185.172.128.69
host	45.15.156.229

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 25, 2023, 5:54 p.m.	process_identifier: 1952 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Nov. 25, 2023, 5:54 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Nov. 25, 2023, 5:54 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe

Drops a binary and executes it (5 events)

file	C:\Users\test22\Pictures\Minor Policy\NPzetvPn7T_J7TDudCgjrhI6.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\latestX.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 25, 2023, 5:54 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1952 process_handle: 0x0000009c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2716 called NtSetContextThread to modify thread in remote process 1952
NtSetContextThread Nov. 25, 2023, 5:54 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 1952	1	0	0

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 3644 events)

file	c:\$Recycle.Bin\S-1-5-21-3832866432-4053218753-3017428901-1001\desktop.ini
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_207_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[3].png
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\amd64_9e455618fbfe7d2cd7c8c778da6201af_31bf3856ad364e35_6.1.7601.22923_none_71e47a370a53121e.manifest
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_159_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_18_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.mum
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\sprite-20210713@2x[2].png
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_7_for_kb3075220_bf~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\spr_lft_white_150916[1].png
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7601.18717_da-dk_12122c0f7fc4f0a3.manifest
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_89_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1950013849c0a17343f0db86419d01f9\amd64_e647dd6a4938232ef9885892b3e4ea4e_31bf3856ad364e35_7.6.7601.19161_none_20b03f75c37a147d.manifest
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_124_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Users\test22\AppData\Local\Temp\outlook logging\firstrun.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\m_920_294_0729[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\cropImg_196x196_38699317823237099[1].jpg
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_46_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_118_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\x86_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.23121_he-il_5ce72a74d75126bb.manifest
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_86_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_71_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\amd64_microsoft-windows-e..vironment-os-loader_31bf3856ad364e35_6.1.7601.22923_none_9e924fd09a5d7b2f.manifest
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7601.22923_zh-cn_bc1133cbb8670d64.manifest
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\x86_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.23121_hr-hr_5f03dd54d6049381.manifest
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_239_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.mum
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\amd64_microsoft-windows-ocspsvc.resources_31bf3856ad364e35_6.1.7601.22923_tr-tr_419f57951c930606.manifest
file	C:\Windows\SoftwareDistribution\Download\084ae788af8afdcb081a0f76dfc6e551\package_5_for_kb2667402_bf~31bf3856ad364e35~amd64~~6.1.2.0.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_30_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.mum
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7601.22923_el-gr_d4e1d28e140170f7.manifest
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_54_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_64_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_209_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.mum
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\amd64_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.23121_fr-fr_74e61e56a93f9703.manifest
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_219_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\330[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAR5WT7S.jpg
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\amd64_85f3170427413796bb9a2006b8b95d44_31bf3856ad364e35_6.1.7601.22923_none_ada1cc7f2dbe7d7b.manifest
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\nsd13728808[1].png
file	C:\Windows\SoftwareDistribution\Download\16c0d43608c27cf376d796eb5838a6a7\package_2_for_kb2864202_bf~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_125_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_216_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_234_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\images[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f1e83251-9248-4d4e-8d2e-d1505a55bc83[1].jpg
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_164_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\sy_stars_8[1].gif
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\ico_jmail2_120309[1].png

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2716 resumed a thread in remote process 1952
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 1952	1	0	0

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Disables Windows Security features (10 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe

Executed a process and injected code into it, probably while unpacking (50 out of 57 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 25, 2023, 5:47 p.m.	thread_identifier: 2496 thread_handle: 0x0000000000000694 process_identifier: 2516 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\ljjoExaAHlxh5gOrGyTCWy1S.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\ljjoExaAHlxh5gOrGyTCWy1S.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\ljjoExaAHlxh5gOrGyTCWy1S.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000698	1	1
CreateProcessInternalW Nov. 25, 2023, 5:47 p.m.	thread_identifier: 2296 thread_handle: 0x00000000000007b0 process_identifier: 2292 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\Pictures\Minor Policy\NPzetvPn7T_J7TDudCgjrhI6.exe track: 1 command_line: "C:\Users\test22\Pictures\Minor Policy\NPzetvPn7T_J7TDudCgjrhI6.exe" filepath_r: C:\Users\test22\Pictures\Minor Policy\NPzetvPn7T_J7TDudCgjrhI6.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000007bc	1	1
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2516	1	0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2664 thread_handle: 0x00000394 process_identifier: 2644 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000039c	1	1
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 2516	1	0
NtGetContextThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2516	1	0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2708 thread_handle: 0x000003a8 process_identifier: 2716 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\AppData\Local\Temp\toolspub2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\toolspub2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2516	1	0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 1304 thread_handle: 0x000003c8 process_identifier: 416 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b0	1	1
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2516	1	0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 1096 thread_handle: 0x0000020c process_identifier: 1064 current_directory: C:\Users\test22\Pictures\Minor Policy filepath: C:\Users\test22\AppData\Local\Temp\latestX.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\latestX.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\latestX.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c0	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 1656 thread_handle: 0x0000001c process_identifier: 828 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Broom.exe filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x000001e0	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 936 thread_handle: 0x00000098 process_identifier: 1952 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\toolspub2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\toolspub2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000009c	1	1
NtGetContextThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000098	1	0
NtUnmapViewOfSection Nov. 25, 2023, 5:54 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1952 process_handle: 0x0000009c	1	0
NtAllocateVirtualMemory Nov. 25, 2023, 5:54 p.m.	process_identifier: 1952 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0
WriteProcessMemory Nov. 25, 2023, 5:54 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1952 process_handle: 0x0000009c	1	1
NtSetContextThread Nov. 25, 2023, 5:54 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 1952	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 1952	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 828	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 828	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 828	1	0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 828	1	0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2696 thread_handle: 0x0000032c process_identifier: 2772 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\$Recycle.bin filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000384	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2088 thread_handle: 0x00000380 process_identifier: 2072 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\$Recycle.bin filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000334	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2544 thread_handle: 0x00000354 process_identifier: 2548 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\$Recycle.bin filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000364	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2796 thread_handle: 0x00000340 process_identifier: 1864 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\$Recycle.bin filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000354	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 1308 thread_handle: 0x00000340 process_identifier: 2568 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\recycler filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000354	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2584 thread_handle: 0x00000364 process_identifier: 2444 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\recycler filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000380	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2656 thread_handle: 0x0000032c process_identifier: 2956 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\recycler filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000334	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 1376 thread_handle: 0x00000340 process_identifier: 2824 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\recycler filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000354	1	1
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 828	1	0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 828	1	0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 828	1	0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 2724 thread_handle: 0x00000410 process_identifier: 2560 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\$Recycle.bin filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000440	1	1
CreateProcessInternalW Nov. 25, 2023, 5:54 p.m.	thread_identifier: 1892 thread_handle: 0x00000410 process_identifier: 1512 current_directory: filepath: track: 1 command_line: cmd /c rd /s /q c:\recycler filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000440	1	1
NtResumeThread Nov. 25, 2023, 5:54 p.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 828	1	0

Drops 869 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 869 events)

file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_115_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_126_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_122_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\update.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_7_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_56_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_69_for_kb3075220_bf~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_59_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\Prefetch\SDIAGNHOST.EXE-8D72177C.pf
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_9_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_201_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_55_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_38_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_169_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_82_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\16c0d43608c27cf376d796eb5838a6a7\package_for_kb2864202_rtm_bf~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_159_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_113_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_116_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_109_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_53_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_27_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\Prefetch\MOBSYNC.EXE-C5E2284F.pf
file	C:\Windows\SoftwareDistribution\Download\0abf0b242f065eda2c392ba806adea85\package_for_kb3010788_sp1~31bf3856ad364e35~amd64~~6.1.1.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_67_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_83_for_kb3075220_bf~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_148_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_205_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_163_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\16c0d43608c27cf376d796eb5838a6a7\package_1_for_kb2864202~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_71_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\SoftwareDistribution\Download\171f77c7d9ce5ac4e6d2ca476b546a14\package_3_for_kb2621440_bf~31bf3856ad364e35~amd64~~6.1.1.5.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_29_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_212_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_97_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\084ae788af8afdcb081a0f76dfc6e551\package_1_for_kb2667402_bf~31bf3856ad364e35~amd64~~6.1.2.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_217_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_50_for_kb3004375_bf~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_124_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\084ae788af8afdcb081a0f76dfc6e551\package_5_for_kb2667402~31bf3856ad364e35~amd64~~6.1.2.0.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_71_for_kb3075220_bf~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_55_for_kb3075220~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_139_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_99_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat
file	C:\Windows\SoftwareDistribution\Download\07eadaf7fd5f649833d1a235d8f068f4\package_58_for_kb3075220_bf~31bf3856ad364e35~amd64~~6.1.1.0.cat
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\SoftwareDistribution\Download\1349c63efc514911e8e09a63876f31b2\package_183_for_kb3004375~31bf3856ad364e35~amd64~~6.1.3.1.cat

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.PrivateLoader.a!c
DrWeb	Trojan.Siggen22.14964
MicroWorld-eScan	Gen:Variant.Barys.445316
Skyhigh	BehavesLike.Win64.Generic.vc
ALYac	Gen:Variant.Barys.445316
Cylance	unsafe
Sangfor	Downloader.Win32.Privateloader.V0sm
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.VMProtect.J suspicious
APEX	Malicious
Kaspersky	Trojan-Downloader.Win32.PrivateLoader.bl
BitDefender	Gen:Variant.Barys.445316
Avast	FileRepMalware [Pws]
Tencent	Win32.Trojan-Downloader.Privateloader.Qgil
Emsisoft	Gen:Variant.Barys.445316 (B)
VIPRE	Gen:Variant.Barys.445316
FireEye	Generic.mg.d689713e2c880daf
Sophos	Mal/Generic-S
MAX	malware (ai score=80)
Webroot	W32.Malware.Gen
Varist	W64/ABRisk.LGKF-8507
Antiy-AVL	Trojan[Packed]/Win64.VMProtect
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Win32/ScarletFlash.A
Gridinsoft	Trojan.Win64.Glupteba.tr
Xcitium	ApplicUnwnt@#dqvw8gfmjoas
Arcabit	Trojan.Barys.D6CB84
ZoneAlarm	Trojan-Downloader.Win32.PrivateLoader.bl
GData	Gen:Variant.Barys.445316
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.PWSX-gen.C5539198
McAfee	Artemis!D689713E2C88
Malwarebytes	Trojan.Downloader
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014H09KO23
Rising	Downloader.PrivateLoader!8.14213 (TFE:3:KZqwgLlcN8L)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware [Pws]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

PLmp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All