Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 21, 2024, 1:27 p.m.	Aug. 21, 2024, 1:45 p.m.

Size	2.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`06f3cde26cf65abbf65884e0ea52a40c`
SHA256	`1da6cf11dc5952f53b697380e0aa27e25b6d5d99f0552f8f78266ffb79165fd8`
CRC32	`E80588C6`
ssdeep	`49152:mLAYjlqi+D79RIgTsFRlY2k8Y/3eQpusGpBd4H2LK6ZBOtTSoiIPwz2N2LFiE/Q7:qAYjci+f9RIo8o5`
PDB Path	E:\Branch\win\Release\stubs\x86\ExternalUi.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Antivirus - Contains references to security software IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

klds.exe "C:\Users\test22\AppData\Local\Temp\klds.exe"
1688
- AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2564
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe'
    2652
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AppLaunch.exe'
    2760
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\edge.exe'
    2856
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'edge.exe'
    2952

Name	Response	Post-Analysis Lookup
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 149.154.167.220:443 -> 192.168.56.103:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49172 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.103:49172 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (31 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 1:28 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 21, 2024, 1:28 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 1:28 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 1:28 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 1:28 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 1:28 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 1:28 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 1:28 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 1:28 p.m.			0	0

Command line console output was observed (33 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4. console_handle: 0x00000053	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: 0.30319\AppLaunch.exe' console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + Add-MpPreference <<<< -ExclusionProcess 'AppLaunch.exe' console_handle: 0x00000053	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath 'C:\Users\Public\edge.exe' console_handle: 0x00000053	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + Add-MpPreference <<<< -ExclusionProcess 'edge.exe' console_handle: 0x00000053	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 21, 2024, 1:28 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 184 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4908 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e46c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e4748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0043e2d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0043e9d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0043e9d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 1:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0043e9d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

E:\Branch\win\Release\stubs\x86\ExternalUi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 1:27 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	IMAGE_FILE
resource name	RTF_FILE

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 694 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00628000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 region_size: 100003840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00634000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00637000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 184320 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00645000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 172032 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00648000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:27 p.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 1688 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7400b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7450a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74441000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00831000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f5b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74151000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 21, 2024, 1:28 p.m.	total_number_of_free_bytes: 9134112768 free_bytes_available: 9134112768 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Aug. 21, 2024, 1:28 p.m.	total_number_of_free_bytes: 9134006272 free_bytes_available: 9134006272 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\edge.exe
file	C:\Users\test22\Documents\ChromeUpdate\schost.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (8 events)

cmdline	powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'edge.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\edge.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AppLaunch.exe'
cmdline	powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe'
cmdline	powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AppLaunch.exe'
cmdline	powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\edge.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'edge.exe'

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM Win32_VideoController
wmi	select * from Win32_OperatingSystem

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 21, 2024, 1:28 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe' filepath: powershell.exe	1	1
ShellExecuteExW Aug. 21, 2024, 1:28 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AppLaunch.exe' filepath: powershell.exe	1	1
ShellExecuteExW Aug. 21, 2024, 1:28 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\edge.exe' filepath: powershell.exe	1	1
ShellExecuteExW Aug. 21, 2024, 1:28 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'edge.exe' filepath: powershell.exe	1	1

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Elastic	malicious (high confidence)
Avast	FileRepMalware [Misc]
Google	Detected
Ikarus	Trojan.Win32.Krypt
AVG	FileRepMalware [Misc]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 21, 2024, 1:28 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 21, 2024, 1:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 1:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 1:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 1:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 1:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 1:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (12 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Win XWorm V3.1	rule	Win_XWorm_3_M_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Remote Administration toolkit using webcam	rule	RAT_WebCam

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 1f46f850974fca48a95a498fcd95a6feb760af68

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000016c	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SpyPro				reg_value	C:\Users\test22\Documents\ChromeUpdate\schost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\edge				reg_value	C:\Users\Public\edge.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 21, 2024, 1:28 p.m.	buffer: base_address: 0xfffde008 process_identifier: 2564 process_handle: 0x0000016c	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 21, 2024, 1:28 p.m.	thread_identifier: 0 callback_function: 0x006108f2 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	983503	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1688 called NtSetContextThread to modify thread in remote process 2564
NtSetContextThread Aug. 21, 2024, 1:28 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 835422 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000164 process_identifier: 2564	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (3 events)

Time & API	Arguments	Status	Return
CryptHashData Aug. 21, 2024, 1:28 p.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00475160 flags: 0	1	1
CryptHashData Aug. 21, 2024, 1:28 p.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00475f60 flags: 0	1	1
CryptHashData Aug. 21, 2024, 1:28 p.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00475f60 flags: 0	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1688 resumed a thread in remote process 2564
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2564	1	0	0

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy

Executed a process and injected code into it, probably while unpacking (41 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 21, 2024, 1:27 p.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 1688	1	0
CreateProcessInternalW Aug. 21, 2024, 1:28 p.m.	thread_identifier: 2568 thread_handle: 0x00000164 process_identifier: 2564 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000016c	1	1
NtGetContextThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000164	1	0
NtAllocateVirtualMemory Aug. 21, 2024, 1:28 p.m.	process_identifier: 2564 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000016c	1	0
WriteProcessMemory Aug. 21, 2024, 1:28 p.m.	buffer: base_address: 0x000c0000 process_identifier: 2564 process_handle: 0x0000016c	1	1
WriteProcessMemory Aug. 21, 2024, 1:28 p.m.	buffer: base_address: 0xfffde008 process_identifier: 2564 process_handle: 0x0000016c	1	1
NtSetContextThread Aug. 21, 2024, 1:28 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 835422 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000164 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2564	1	0
CreateProcessInternalW Aug. 21, 2024, 1:28 p.m.	thread_identifier: 2656 thread_handle: 0x00000398 process_identifier: 2652 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a0	1	1
CreateProcessInternalW Aug. 21, 2024, 1:28 p.m.	thread_identifier: 2764 thread_handle: 0x000003b0 process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AppLaunch.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c8	1	1
CreateProcessInternalW Aug. 21, 2024, 1:28 p.m.	thread_identifier: 2860 thread_handle: 0x000003bc process_identifier: 2856 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\edge.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW Aug. 21, 2024, 1:28 p.m.	thread_identifier: 2956 thread_handle: 0x000003c0 process_identifier: 2952 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'edge.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c8	1	1
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000470 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000004b4 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000528 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000544 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000648 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000006d8 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000006ec suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000004c4 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000004c4 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000004c4 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x00000468 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread Aug. 21, 2024, 1:28 p.m.	thread_handle: 0x000004c8 suspend_count: 1 process_identifier: 2952	1	0

klds.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All