Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 13, 2024, 1:59 p.m.	Feb. 13, 2024, 2:01 p.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b391262d30720e42f884893464e82b01`
SHA256	`6ff5c30cb8cd9f17edf1b00a2b4a5790795f59a3772a4810926f0d1df27922a1`
CRC32	`9A4A8B8E`
ssdeep	`49152:mcSFen9EqVEcrp9FT41tEwTw2+DISUTHB+Ayy0pIJ0CNFHYXhgBIFPsL7N7HdcxW:9QenzVJp7Mk5uSUV+Au6yCNFH2h9FPqC`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature EnigmaProtector_IN - EnigmaProtector

plaza.exe "C:\Users\test22\AppData\Local\Temp\plaza.exe"
2548
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2672
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2756

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.146.235
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.18.146.235	Active	Moloch
104.26.5.15	Active	Moloch
164.124.101.2	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49168 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Feb. 13, 2024, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 13, 2024, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 13, 2024, 1:59 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Feb. 13, 2024, 1:59 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Feb. 13, 2024, 1:59 p.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (21 events)

Time & API	Arguments	Status
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd1090 0x7ebd0f40 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520276 registers.edi: 26538224 registers.eax: 0 registers.ebp: 4520304 registers.edx: 0 registers.ebx: 1424554489 registers.esi: 18751488 registers.ecx: 51721972	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd1090 0x7ebd0f40 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520276 registers.edi: 4520276 registers.eax: 0 registers.ebp: 4520304 registers.edx: 2 registers.ebx: 19715187 registers.esi: 0 registers.ecx: 4520312	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd1090 0x7ebd0f40 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520276 registers.edi: 4520276 registers.eax: 0 registers.ebp: 4520304 registers.edx: 0 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520312	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd1c30 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 19974824 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 14557184 registers.esi: 18751488 registers.ecx: 18751488	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd1c30 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd1c30 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd20b0 0x7ebd1870 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520148 registers.edi: 19974824 registers.eax: 0 registers.ebp: 4520176 registers.edx: 0 registers.ebx: 14557184 registers.esi: 18751488 registers.ecx: 0	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd20b0 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 19715187 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd20b0 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd20b0 0x7ebd1870 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 0 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd20b0 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 19715187 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2200 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 19974824 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 14557184 registers.esi: 18751488 registers.ecx: 4520168	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2200 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2710 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 19974824 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 0 registers.esi: 18751488 registers.ecx: 969911901	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2710 0x7ebd1870 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 0 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2950 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 19974824 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 0 registers.esi: 18751488 registers.ecx: 1949049972	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2950 0x7ebd1870 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: plaza.exe exception.exception_code: 0xc000001d exception.offset: 2413704 exception.address: 0x12cd488 registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 2 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2950 0x7ebd1870 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 0 registers.ebx: 19715230 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2950 0x7ebd1870 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 0 registers.ebx: 19715187 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2950 0x7ebd1870 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 0 registers.ebx: 19715187 registers.esi: 0 registers.ecx: 4520184	1
__exception__ Feb. 13, 2024, 1:59 p.m.	stacktrace: 0x7ebd2950 0x7ebd1870 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: plaza.exe exception.exception_code: 0xc0000094 exception.offset: 2413661 exception.address: 0x12cd45d registers.esp: 4520148 registers.edi: 4520148 registers.eax: 0 registers.ebp: 4520176 registers.edx: 0 registers.ebx: 19715187 registers.esi: 0 registers.ecx: 4520184	1

Performs some HTTP requests (2 events)

request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (50 out of 95 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2024, 1:59 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Feb. 13, 2024, 1:59 p.m.	thread_identifier: 2676 thread_handle: 0x0000013c process_identifier: 2672 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000140	1	1	0
CreateProcessInternalW Feb. 13, 2024, 1:59 p.m.	thread_identifier: 2760 thread_handle: 0x00000148 process_identifier: 2756 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000144	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section

{u'size_of_data': u'0x00073800', u'virtual_address': u'0x00001000', u'entropy': 7.999523641611958, u'name': u'', u'virtual_size': u'0x0010b000'}

entropy

7.99952364161

description