Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 19, 2024, 1:34 p.m.	June 19, 2024, 1:36 p.m.

Size	144.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6945668834c3c7223d4d98e0e89428ec`
SHA256	`47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e`
CRC32	`B7D555CC`
ssdeep	`3072:9DLhghNC38S7gzQ/cVD4U7p82jMU0Lt/w/HOWJbG5vcX++kwEKEAW31D4:2zQ/L6Mbw/uWJbGF+REKA1`
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

AntiVirus.exe "C:\Users\test22\AppData\Local\Temp\AntiVirus.exe"
2556
- cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe & exit
  2732
  - powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe
    2800
- cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2868
  - powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    2936

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 19, 2024, 10:09 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 19, 2024, 10:08 a.m.			0	0
IsDebuggerPresent June 19, 2024, 10:08 a.m.			0	0
IsDebuggerPresent June 19, 2024, 10:09 a.m.			0	0
IsDebuggerPresent June 19, 2024, 10:09 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 84 events)

Time & API	Arguments	Status	Return
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026d1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc5e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc5e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc810 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc810 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc810 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026d480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026d480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026d480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dc6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dcc70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dcc70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b6dcc70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002fa0c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002fa0c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002fa280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002fa280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002fa0c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002fa0c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002fa0c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b704250 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b704250 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7042c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7042c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b704d40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b704d40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b705050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b705050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ffcb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002c594d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002c594d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002c594d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002c59770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002c59770 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002c594d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 19, 2024, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002c594d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 19, 2024, 10:08 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 398 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002080000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000021c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a22000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a24000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a24000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a24000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a24000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9435c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94386000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94421000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:08 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:09 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:09 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:09 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:09 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 19, 2024, 10:09 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (50 events)

file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\apakagogmckphjnojeblmiaahdnogkni
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\fgmanlmbjbclcnkficdodlognkeheejb
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\llmlhlddaeediifoladephjpgejknmal
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\gbanjdaphdabiocllfbjolmdjckocjnj
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\kffganmbldfgkgineogpgclfkkngcool
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\lfmgcmgkbkphaaggnofnhoonmjfmjhah
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\mlnmjikdhcblohfpfdfmegjkjlnbbkna
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\jcjejccajkejpnadafclaophjfpjebhm
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\ncljmiffkofogcgiepiflbfhjelkklkb
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\edffijlgmobnajlneenopceappncihfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\gchanpaeodapopimpablnkmenhkndddi
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\gjdpfnfmelhakanjicgoeepdoninjjod
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings_pgnemdcbsnenjgpajdflhjnelnhkdcb
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings_ojhmikaojhghfplekghaghaeogmdhnl
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\kcbnmnnkigeelbhlfllahgejbhdnlhan
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\okompkjedlhgdlkhbanmiboeploplgpc
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\fnlgpnbkflbpcpkkohbiojomgeokejjn
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\aabeakehlapikpddikddcikneklnfbfl
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
file	C:\Users\test22\AppData\Roaming\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	cmd /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
cmdline	cmd /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe & exit
cmdline	powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
cmdline	powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 19, 2024, 10:09 a.m.	show_type: 0 filepath_r: cmd parameters: /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe & exit filepath: cmd	1	1	0
ShellExecuteExW June 19, 2024, 10:09 a.m.	show_type: 0 filepath_r: cmd parameters: /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 19, 2024, 10:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 19, 2024, 10:09 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 19, 2024, 10:09 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	cmd /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
cmdline	cmd /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
cmdline	"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe & exit
cmdline	powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
cmdline	powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\test22\AppData\Local\Temp\AntiVirus.exe

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus

reg_value

C:\Users\test22\AppData\Local\Temp\AntiVirus.exe

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2732 resumed a thread in remote process 2800
Process injection	Process 2868 resumed a thread in remote process 2936
NtResumeThread June 19, 2024, 10:09 a.m.	thread_handle: 0x0000000000000060 suspend_count: 0 process_identifier: 2800	1	0	0
NtResumeThread June 19, 2024, 10:09 a.m.	thread_handle: 0x0000000000000060 suspend_count: 0 process_identifier: 2936	1	0	0

Creates a suspicious Powershell process (6 events)

option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-noninteractive	value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\dfrgui.exe

Generates some ICMP traffic

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetectMalware.CS
Elastic	Windows.Infostealer.PhemedroneStealer
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Skyhigh	BehavesLike.Win32.Generic.cm
ALYac	IL:Trojan.MSILZilla.29594
Cylance	Unsafe
VIPRE	IL:Trojan.MSILZilla.29594
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005706a81 )
BitDefender	IL:Trojan.MSILZilla.29594
K7GW	Trojan-Downloader ( 005706a81 )
Cybereason	malicious.834c3c
Arcabit	IL:Trojan.MSILZilla.D739A
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.ENP
McAfee	Trojan-FRAX!6945668834C3
Avast	Win32:SpywareX-gen [Trj]
ClamAV	Win.Packed.Msilzilla-10026835-0
Kaspersky	HEUR:Trojan-PSW.MSIL.Coins.gen
MicroWorld-eScan	IL:Trojan.MSILZilla.29594
Rising	Stealer.Phemedrone!1.F3D5 (CLASSIC)
Emsisoft	IL:Trojan.MSILZilla.29594 (B)
F-Secure	Heuristic.HEUR/AGEN.1371384
DrWeb	BackDoor.XenoRatNET.15
FireEye	Generic.mg.6945668834c3c722
Sophos	ML/PE-A
Ikarus	Trojan-Spy.RedLineStealer
Jiangmin	Trojan.PSW.MSIL.etot
Google	Detected
Avira	HEUR/AGEN.1371384
MAX	malware (ai score=83)
Microsoft	Trojan:Win32/Formbook!ml
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Coins.gen
GData	IL:Trojan.MSILZilla.29594
Varist	W32/MSIL_Agent.FUM.gen!Eldorado
AhnLab-V3	Trojan/Win.FRAX.C5616093
BitDefenderTheta	Gen:NN.ZemsilF.36806.jm0@aGYUaVk
TACHYON	Trojan-PWS/W32.DN-Coins.147456
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.InfoStealer.gen.D
Malwarebytes	Spyware.Agent.MSIL
SentinelOne	Static AI - Malicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
AVG	Win32:SpywareX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)

AntiVirus.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All