Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2024, 9:54 a.m.	June 16, 2024, 10:13 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2ca46e1c431bc4a3e5a01921e1e13a50`
SHA256	`f764089e78f3fb6366d1e292c4636a8513f712876b51130f3f20be5083f22b48`
CRC32	`8104A70D`
ssdeep	`24576:qODP7Rw0u6pAJzL3VMucfssyk8jhvuCgfszlHW3/7DJjcv:qmP7OlSAxmu/Rjhvu70Y3/hjm`
Yara	Network_Downloader - File Downloader ASPack_Zero - ASPack packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

WB.exe "C:\Users\test22\AppData\Local\Temp\WB.exe"
1372
- BIwL.exe C:\Users\test22\AppData\Local\Temp\BIwL.exe
  1740
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\36e244b7.bat" "
    2700
- csrss1.exe C:\Users\test22\AppData\Local\Temp\csrss1.exe
  2120
- csrss2.exe C:\Users\test22\AppData\Local\Temp\csrss2.exe
  2176
  - ._cache_csrss2.exe "C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe"
    2280
    - ctfmon.exe ctfmon.exe
      2420
  - Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    2340
    - ._cache_Synaptics.exe "C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      2460
      - ctfmon.exe ctfmon.exe
        2624

Name	Response	Post-Analysis Lookup
ddos.dnsnb8.net	A 44.221.84.105	44.221.84.105
www.dropbox.com	CNAME www-env.dropbox-dns.com A 162.125.84.18	162.125.84.18
docs.google.com	A 216.58.203.78	172.217.25.174
freedns.afraid.org	A 69.42.215.252	69.42.215.252
drive.usercontent.google.com	A 142.250.66.129	142.250.206.193
xred.mooo.com

IP Address	Status	Action
142.250.66.129	Active	Moloch
162.125.84.18	Active	Moloch
164.124.101.2	Active	Moloch
216.58.203.78	Active	Moloch
38.147.172.248	Active	Moloch
44.221.84.105	Active	Moloch
69.42.215.252	Active	Moloch
51.15.193.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49200 -> 142.250.66.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 216.58.203.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2015633	ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49200 142.250.66.129:443	C=US, O=Google Trust Services, CN=WR2	CN=*.usercontent.google.com	71:e8:8e:94:b7:3e:87:37:f2:40:e5:6d:db:4c:22:85:e4:ea:4d:63
TLSv1 192.168.56.103:49199 216.58.203.78:443	C=US, O=Google Trust Services, CN=WR2	CN=*.google.com	4c:c8:6f:b2:95:94:9b:85:9d:cd:50:8c:dc:35:70:a9:fa:1c:63:f0

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 16, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\BIwL.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp\BIwL.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: goto console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: :DELFILE console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\36e244b7.bat" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 16, 2024, 9:54 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	.nsp0
section	.nsp1
section	.nsp2
section	O\xb0n?\xa3ux

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ June 16, 2024, 9:54 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x959fc @ 0x4959fc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 87293404 registers.edi: 87293592 registers.eax: 87293404 registers.ebp: 87293484 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1
__exception__ June 16, 2024, 9:54 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95a83 @ 0x495a83 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 87291216 registers.edi: 87291404 registers.eax: 87291216 registers.ebp: 87291296 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11004 registers.ecx: 7	1
__exception__ June 16, 2024, 9:54 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95b0a @ 0x495b0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 87289028 registers.edi: 87289216 registers.eax: 87289028 registers.ebp: 87289108 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

xred.mooo.com

Performs some HTTP requests (5 events)

request	GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 1372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 2176 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 2176 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (3 events)

description	Synaptics.exe tried to sleep 136 seconds, actually delayed analysis time by 136 seconds
description	._cache_csrss2.exe tried to sleep 185 seconds, actually delayed analysis time by 185 seconds
description	._cache_Synaptics.exe tried to sleep 182 seconds, actually delayed analysis time by 182 seconds

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0024361c

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0024361c

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0024361c

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243b0c

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243b0c

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243b0c

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00243b0c

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245214

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245364

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00245364

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002465ac

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00246ff4

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00247040

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00247040

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00247040

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00247078

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00247078

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00247078

size

0x00000014

Downloads a file or document from Google Drive (1 event)

domain

docs.google.com

Creates executable files on the filesystem (39 events)

file	C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
file	C:\Users\test22\AppData\Local\Temp\39251ACE.exe
file	C:\Users\test22\AppData\Local\Temp\49791C4E.exe
file	C:\Users\test22\AppData\Local\Temp\280D2AB5.exe
file	C:\Users\test22\AppData\Local\Temp\645E3936.exe
file	C:\Users\test22\AppData\Local\Temp\014F1B8E.exe
file	C:\Users\test22\AppData\Local\Temp\csrss1.exe
file	C:\Program Files (x86)\7-Zip\7zFM.exe
file	C:\Python27\Lib\distutils\command\wininst-7.1.exe
file	C:\tmpvmqcut\bin\inject-x86.exe
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe
file	C:\tmp6o6lvv\bin\execsc.exe
file	C:\Users\test22\AppData\Local\Temp\18EE6058.exe
file	C:\Users\test22\AppData\Local\Temp\36e244b7.bat
file	C:\Users\test22\AppData\Local\Temp\0CC72395.exe
file	C:\Program Files\7-Zip\Uninstall.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0.exe
file	C:\Program Files (x86)\7-Zip\7z.exe
file	C:\Users\test22\AppData\Local\Temp\2CFF5E0B.exe
file	C:\Python27\Lib\distutils\command\wininst-6.0.exe
file	C:\util\pafish.exe
file	C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe
file	C:\Python27\Lib\site-packages\setuptools\cli.exe
file	C:\tmp6o6lvv\bin\inject-x86.exe
file	C:\Program Files (x86)\7-Zip\7zG.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Python27\Lib\site-packages\setuptools\gui-32.exe
file	C:\ProgramData\Synaptics\Synaptics.dll
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\tmpvmqcut\bin\is32bit.exe
file	C:\tmp6o6lvv\bin\is32bit.exe
file	C:\Users\test22\AppData\Local\Temp\BIwL.exe
file	C:\tmpvmqcut\bin\execsc.exe
file	C:\Python27\Lib\distutils\command\wininst-8.0.exe
file	C:\Program Files (x86)\7-Zip\Uninstall.exe
file	C:\Users\test22\AppData\Local\Temp\csrss2.exe
file	C:\Python27\Lib\site-packages\setuptools\gui.exe

Creates a service (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 16, 2024, 9:54 a.m.	service_start_name: start_type: 2 password: display_name: Mnopqr Tuvwxyab Defghijk Mnop filepath: C:\Windows\SysWOW64\ctfmon.exe service_name: Mnopqr filepath_r: C:\Windows\SysWOW64\ctfmon.exe desired_access: 983551 service_handle: 0x00535b10 error_control: 0 service_type: 272 service_manager_handle: 0x00535bd8	1	5462800	0
CreateServiceA June 16, 2024, 9:55 a.m.	service_start_name: start_type: 2 password: display_name: Mnopqr Tuvwxyab Defghijk Mnop filepath: C:\Windows\SysWOW64\ctfmon.exe service_name: Mnopqr filepath_r: C:\Windows\SysWOW64\ctfmon.exe desired_access: 983551 service_handle: 0x00000000 error_control: 0 service_type: 272 service_manager_handle: 0x00245bd8		0	0

Looks up the Dropbox cloud service (1 event)

domain

www.dropbox.com

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\36e244b7.bat
file	C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\BIwL.exe
file	C:\Users\test22\AppData\Local\Temp\13314968\TemporaryFile\TemporaryFile
file	C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
file	C:\Users\test22\AppData\Local\Temp\csrss2.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2024, 9:54 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\36e244b7.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\36e244b7.bat	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 70 events)

Time & API	Arguments	Status	Return
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: mobsync.exe process_identifier: 1712	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: pw.exe process_identifier: 524	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: taskhost.exe process_identifier: 1792	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: WB.exe process_identifier: 1372	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: BIwL.exe process_identifier: 1740	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: schtasks.exe process_identifier: 2100	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: conhost.exe process_identifier: 2108	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: csrss1.exe process_identifier: 2120	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: is32bit.exe process_identifier: 2184	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: ._cache_Synaptics.exe process_identifier: 2460	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: ctfmon.exe process_identifier: 2624	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: cmd.exe process_identifier: 2700	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: is32bit.exe process_identifier: 2708	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: hnF.exe process_identifier: 2776	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: conhost.exe process_identifier: 2840	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: cmd.exe process_identifier: 2944	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: conhost.exe process_identifier: 2956	1	1
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: ctfmon.exe process_identifier: 2984	1	1
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000170 process_name: cmd.exe process_identifier: 3044	1	1
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000170 process_name: conhost.exe process_identifier: 2112	1	1
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000170 process_name: pw.exe process_identifier: 2172	1	1
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000124 process_name: mscorsvw.exe process_identifier: 2456	1	1
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000124 process_name: sppsvc.exe process_identifier: 2528	1	1
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000124 process_name: cmd.exe process_identifier: 2076	1	1
Process32NextW June 16, 2024, 9:56 a.m.	snapshot_handle: 0x00000170 process_name: conhost.exe process_identifier: 2792	1	1
Process32NextW June 16, 2024, 9:56 a.m.	snapshot_handle: 0x00000170 process_name: pw.exe process_identifier: 2804	1	1
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000250 process_name: mscorsvw.exe process_identifier: 7602224		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000254 process_name: mscorsvw.exe process_identifier: 3014768		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000258 process_name: mscorsvw.exe process_identifier: 7274573		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x0000025c process_name: mscorsvw.exe process_identifier: 5046390		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x0000027c process_name: mscorsvw.exe process_identifier: 6619246		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000280 process_name: mscorsvw.exe process_identifier: 6881397		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000284 process_name: mscorsvw.exe process_identifier: 7602277		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000288 process_name: mscorsvw.exe process_identifier: 5177421		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x0000028c process_name: mscorsvw.exe process_identifier: 5046338		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000290 process_name: mscorsvw.exe process_identifier: 6619235		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000294 process_name: mscorsvw.exe process_identifier: 4456552		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x00000298 process_name: mscorsvw.exe process_identifier: 6553705		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x0000029c process_name: mscorsvw.exe process_identifier: 6815859		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002a0 process_name: mscorsvw.exe process_identifier: 6619251		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002a4 process_name: mscorsvw.exe process_identifier: 6684769		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002a8 process_name: mscorsvw.exe process_identifier: 6357091		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002ac process_name: mscorsvw.exe process_identifier: 7733331		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002b0 process_name: mscorsvw.exe process_identifier: 6815860		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002b4 process_name: mscorsvw.exe process_identifier: 7667815		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002bc process_name: mscorsvw.exe process_identifier: 7209061		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002c4 process_name: mscorsvw.exe process_identifier: 5374032		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002c8 process_name: e process_identifier: 7471201		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002d4 process_name: mscorsvw.exe process_identifier: 7667821		0
Process32NextW June 16, 2024, 9:55 a.m.	snapshot_handle: 0x000002d8 process_name: mscorsvw.exe process_identifier: 7274605		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00110c3d', u'virtual_address': u'0x00248000', u'entropy': 7.9959277993918345, u'name': u'.nsp1', u'virtual_size': u'0x00111000'}

entropy

7.99592779939

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00004200', u'virtual_address': u'0x0035b000', u'entropy': 6.934006008765163, u'name': u'O\\xb0n?\\xa3ux', u'virtual_size': u'0x00005000'}

entropy

6.93400600877

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 13628 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x000000f4 process_name: is;ż process_identifier: 2184		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0
Process32NextW June 16, 2024, 9:54 a.m.	snapshot_handle: 0x00000170 process_name: 탰aﶴɢ㱴瞍㲣瞍ᗄ痹 process_identifier: 2460		0	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: b99d52ea98bdd45b252cfea79029b570a81e622b

Communicates with host for which no DNS query was performed (2 events)

host	38.147.172.248
host	51.15.193.130

Installs itself for autorun at Windows startup (7 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systeamst	reg_value	C:\Users\test22\AppData\Local\Temp\csrss1.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver	reg_value	C:\ProgramData\Synaptics\Synaptics.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\name	reg_value	C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver	reg_value	C:\ProgramData\Synaptics\Synaptics.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\name	reg_value	C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe
service_name	Mnopqr	service_path	C:\Windows\SysWOW64\ctfmon.exe
service_name	Mnopqr	service_path	C:\Windows\SysWOW64\ctfmon.exe

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2420 process_handle: 0x00000170	1	1	0
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2624 process_handle: 0x00000174	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA June 16, 2024, 9:54 a.m.	thread_identifier: 0 callback_function: 0x03b53540 hook_identifier: 2 (WH_KEYBOARD) module_address: 0x03b50000	1	262449	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	Synaptics.exe				useragent	MyApp
process	Synaptics.exe				useragent	Synaptics.exe

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2280 called NtSetContextThread to modify thread in remote process 2420
Process injection	Process 2460 called NtSetContextThread to modify thread in remote process 2624
NtSetContextThread June 16, 2024, 9:54 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4222780 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000016c process_identifier: 2420	1	0	0
NtSetContextThread June 16, 2024, 9:54 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4222780 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000170 process_identifier: 2624	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

svchost.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2280 resumed a thread in remote process 2420
Process injection	Process 2460 resumed a thread in remote process 2624
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2420	1	0	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 2624	1	0	0

Executed a process and injected code into it, probably while unpacking (44 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 776 thread_handle: 0x000000d4 process_identifier: 1740 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\BIwL.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d8	1	1
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2124 thread_handle: 0x000000fc process_identifier: 2120 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\csrss1.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000100	1	1
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2180 thread_handle: 0x00000100 process_identifier: 2176 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\csrss2.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000fc	1	1
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Users\test22\AppData\Local\Temp\csrss3.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Users\test22\AppData\Local\Temp\csrss4.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Users\test22\AppData\Local\Temp\csrss5.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Users\test22\AppData\Local\Temp\280D2AB5.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Users\test22\AppData\Local\Temp\014F1B8E.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Users\test22\AppData\Local\Temp\39251ACE.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Users\test22\AppData\Local\Temp\18EE6058.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Users\test22\AppData\Local\Temp\0CC72395.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2704 thread_handle: 0x000003d4 process_identifier: 2700 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\36e244b7.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000e0	1	1
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2176	1	0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2284 thread_handle: 0x0000043c process_identifier: 2280 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000434	1	1
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2344 thread_handle: 0x0000043c process_identifier: 2340 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\Synaptics\Synaptics.exe track: 1 command_line: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate filepath_r: C:\ProgramData\Synaptics\Synaptics.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d8	1	1
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2424 thread_handle: 0x0000016c process_identifier: 2420 current_directory: filepath: track: 1 command_line: ctfmon.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000170	1	1
NtGetContextThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000016c	1	0
NtUnmapViewOfSection June 16, 2024, 9:54 a.m.	base_address: 0x0262fedc region_size: 1963528192 process_identifier: 2420 process_handle: 0x00000170		3221225497
NtAllocateVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 2420 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170	1	0
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x00400000 process_identifier: 2420 process_handle: 0x00000170	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x00401000 process_identifier: 2420 process_handle: 0x00000170	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x00408000 process_identifier: 2420 process_handle: 0x00000170	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x0040b000 process_identifier: 2420 process_handle: 0x00000170	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x00419000 process_identifier: 2420 process_handle: 0x00000170	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2420 process_handle: 0x00000170	1	1
NtSetContextThread June 16, 2024, 9:54 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4222780 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000016c process_identifier: 2420	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2420	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2340	1	0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2464 thread_handle: 0x00000438 process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate filepath_r: C:\Users\test22\AppData\Local\Temp\._cache_Synaptics.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000430	1	1
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x00000478 suspend_count: 1 process_identifier: 2340	1	0
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2628 thread_handle: 0x00000170 process_identifier: 2624 current_directory: filepath: track: 1 command_line: ctfmon.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000174	1	1
NtGetContextThread June 16, 2024, 9:54 a.m.	thread_handle: 0x00000170	1	0
NtUnmapViewOfSection June 16, 2024, 9:54 a.m.	base_address: 0x0277fedc region_size: 1962151936 process_identifier: 2624 process_handle: 0x00000174		3221225497
NtAllocateVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 2624 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000174	1	0
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x00400000 process_identifier: 2624 process_handle: 0x00000174	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x00401000 process_identifier: 2624 process_handle: 0x00000174	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x00408000 process_identifier: 2624 process_handle: 0x00000174	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x0040b000 process_identifier: 2624 process_handle: 0x00000174	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: base_address: 0x00419000 process_identifier: 2624 process_handle: 0x00000174	1	1
WriteProcessMemory June 16, 2024, 9:54 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2624 process_handle: 0x00000174	1	1
NtSetContextThread June 16, 2024, 9:54 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4222780 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000170 process_identifier: 2624	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 2624	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 2420	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 2624	1	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.FamVT.DumpModuleInfectiousNME.PE
Lionic	Virus.Win32.Nimnul.n!c
tehtris	Generic.Malware
ClamAV	Win.Malware.Wapomi-10020301-0
Malwarebytes	Trojan.MalPack.Generic
K7AntiVirus	Trojan ( 005257651 )
K7GW	Trojan ( 005257651 )
CrowdStrike	win/malicious_confidence_100% (W)
VirIT	Win32.Nimnul.F
Symantec	W32.Wapomi.C!inf
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Alibaba	Virus:Win32/Nimnul.402c
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
MicroWorld-eScan	Win32.VJadtre.3
McAfeeD	Real Protect-LS!2CA46E1C431B
Trapmine	malicious.high.ml.score
Ikarus	Trojan.Obfuscate
Avira	W32/Jadtre.B
Antiy-AVL	Virus/Win32.Nimnul.f
Kingsoft	Win32.Nimnul.f.168959
Gridinsoft	Trojan.Heur!.03212201
ViRobot	Win32.Ramnit.F
AhnLab-V3	Win32/VJadtre.Gen
DeepInstinct	MALICIOUS
TACHYON	Virus/W32.Ramnit.C
Cylance	Unsafe
Tencent	Virus.Win32.Loader.aab
SentinelOne	Static AI - Malicious PE
Cybereason	malicious.c431bc
alibabacloud	Virus:Win/Jadtre.A(dyn)

WB.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All