Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 13, 2024, 8:59 a.m.	May 13, 2024, 9:02 a.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3acbdb001a0be2555921f0361189f9b5`
SHA256	`577c882863773dd3c84a219133a967b6354e89822e871d6ddf954f0c3a2976a9`
CRC32	`2F032809`
ssdeep	`49152:/YAdQItwwztvgIBRUPgafOKR9UUVlNKnwGs1r/6brfoh93o0CjLGPFHeaz5BpGN4:/YAN9YIu4KR9UA0wGWHbyqN+azX8C`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) EnigmaProtector_IN - EnigmaProtector

poter.exe "C:\Users\test22\AppData\Local\Temp\poter.exe"
2556
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2696
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2756

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166

IP Address	Status	Action
147.45.47.126	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.166	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 147.45.47.126:58709 -> 192.168.56.101:49166	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49169 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49167 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49169 172.67.75.166:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 13, 2024, 8:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 13, 2024, 8:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 13, 2024, 8:59 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 13, 2024, 8:59 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW May 13, 2024, 8:59 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (28 events)

Time & API	Arguments	Status
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd0de0 0x7ebd0c90 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406496 registers.edi: 26640624 registers.eax: 0 registers.ebp: 3406524 registers.edx: 2 registers.ebx: 1372433624 registers.esi: 18800640 registers.ecx: 53556980	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd0de0 0x7ebd0c90 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406496 registers.edi: 3406496 registers.eax: 0 registers.ebp: 3406524 registers.edx: 2 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406532	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd0de0 0x7ebd0c90 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406496 registers.edi: 3406496 registers.eax: 0 registers.ebp: 3406524 registers.edx: 2 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406532	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd0de0 0x7ebd0c90 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406496 registers.edi: 3406496 registers.eax: 0 registers.ebp: 3406524 registers.edx: 2 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406532	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd0de0 0x7ebd0c90 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406496 registers.edi: 3406496 registers.eax: 0 registers.ebp: 3406524 registers.edx: 0 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406532	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd0de0 0x7ebd0c90 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406496 registers.edi: 3406496 registers.eax: 0 registers.ebp: 3406524 registers.edx: 2 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406532	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1980 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 20023976 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 14606336 registers.esi: 18800640 registers.ecx: 18800640	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1980 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1980 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1980 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1980 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1e00 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 20023976 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 14606336 registers.esi: 18800640 registers.ecx: 0	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1e00 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1f50 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 20023976 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 14606336 registers.esi: 18800640 registers.ecx: 3406388	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1f50 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1f50 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1f50 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1f50 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd1f50 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd2460 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 20023976 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 0 registers.esi: 18800640 registers.ecx: 2548544331	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd2460 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd2460 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd2460 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd2460 0x7ebd15c0 exception.instruction_r: f7 f0 e8 dc 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: div eax exception.module: poter.exe exception.exception_code: 0xc0000094 exception.offset: 2724957 exception.address: 0x12d945d registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 0 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd2460 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 19764339 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd26a0 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 20023976 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 0 registers.esi: 18800640 registers.ecx: 2365652991	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd26a0 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406404	1
__exception__ May 13, 2024, 8:59 a.m.	stacktrace: 0x7ebd26a0 0x7ebd15c0 exception.instruction_r: 0f 0b e8 b1 4d 01 00 33 c0 5a 59 59 64 89 10 eb exception.instruction: ud2 exception.module: poter.exe exception.exception_code: 0xc000001d exception.offset: 2725000 exception.address: 0x12d9488 registers.esp: 3406368 registers.edi: 3406368 registers.eax: 0 registers.ebp: 3406396 registers.edx: 2 registers.ebx: 19764382 registers.esi: 0 registers.ecx: 3406404	1

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0300c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03018000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0301c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03028000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0302c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0303c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03048000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0304c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03058000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0305c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03064000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03068000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0306c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03074000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03078000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0307c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03088000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0308c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03094000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03098000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0309c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 13, 2024, 8:59 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 13, 2024, 8:59 a.m.	thread_identifier: 2700 thread_handle: 0x00000160 process_identifier: 2696 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000164	1	1	0
CreateProcessInternalW May 13, 2024, 8:59 a.m.	thread_identifier: 2760 thread_handle: 0x0000016c process_identifier: 2756 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000168	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section

{u'size_of_data': u'0x00093c00', u'virtual_address': u'0x00001000', u'entropy': 7.999707131763619, u'name': u'', u'virtual_size': u'0x0015c000'}

entropy

7.99970713176

description