Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 27, 2024, 3:07 p.m.	Aug. 27, 2024, 3:15 p.m.

Size	7.8MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`a18fe6fa6a9296ba8faf7e7dcfd5d0f8`
SHA256	`5b88c90d6befe358e25846b35b945616ae04902576dfbe2905aecaf73126fbb2`
CRC32	`4668CA3F`
ssdeep	`196608:W0nIsHAxk4jJoz0KVTFbS1gf42FwCsVMhfL36JIzBQiYlx6/Wq:rVHAxBjmFPm1gpFw/Mhm+zBQiwx6/l`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

Aquarius.exe "C:\Users\test22\AppData\Local\Temp\Aquarius.exe"
2568
- cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F2DB.tmp\F2EC.tmp\F2ED.bat C:\Users\test22\AppData\Local\Temp\Aquarius.exe"
  2700
  - timeout.exe timeout 1
    2784
  - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
    2832
  - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
    2876
  - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
    2920
  - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
    2964
  - WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
    3008
    - WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
      2352
  - WindowsDataUpdater.exe "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
    1216
  - java.exe "C:\Windows\system32\java.exe"
    1728
    - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\A9A.tmp\A9B.tmp\AAB.bat C:\Windows\system32\java.exe"
      2228
      - timeout.exe timeout 1
        2472
      - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        2660
      - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        2380
      - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        2828
      - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        2908
      - WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        2976
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        2448
      - WindowsDataUpdater.exe "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        908
      - java.exe "C:\Windows\system32\java.exe"
        2256
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\366C.tmp\366D.tmp\366E.bat C:\Windows\system32\java.exe"
        2804
        
        timeout.exe timeout 1
        2924
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        1808
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        2064
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        2296
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        2780
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        2480
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        2396
        
        WindowsDataUpdater.exe "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        2280
        
        java.exe "C:\Windows\system32\java.exe"
        2848
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\8A59.tmp\8A5A.tmp\8A6A.bat C:\Windows\system32\java.exe"
        1272
        
        timeout.exe timeout 1
        192
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        2208
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        2120
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        2772
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        1168
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        2668
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        1656
        
        WindowsDataUpdater.exe "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        1332
        
        java.exe "C:\Windows\system32\java.exe"
        1948
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\EA4B.tmp\EA4C.tmp\EA4D.bat C:\Windows\system32\java.exe"
        3448
        
        timeout.exe timeout 1
        3552
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        3612
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        3692
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        3740
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        3788
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        3832
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        3972
        
        WindowsDataUpdater.exe "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        3924
        
        java.exe "C:\Windows\system32\java.exe"
        4080
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\5346.tmp\5347.tmp\5358.bat C:\Windows\system32\java.exe"
        3300
        
        timeout.exe timeout 1
        1592
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        1356
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        3580
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        3404
        
        reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        3704
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        3784
        
        WindowsDefenderUpdater.exe "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        3980
        
        WindowsDataUpdater.exe "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        3896
        
        timeout.exe timeout 5
        1804
        
        timeout.exe timeout 5
        3220
        
        timeout.exe timeout 5
        2984
      - timeout.exe timeout 5
        884
  - timeout.exe timeout 5
    2740

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (12 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 27, 2024, 3:07 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:07 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:07 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:07 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:07 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:07 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:01 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:01 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:01 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:01 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:02 p.m.			0	0
IsDebuggerPresent Aug. 27, 2024, 3:02 p.m.			0	0

Command line console output was observed (50 out of 77 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: 1 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: 1 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: 1 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Aquarius.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: Access is denied. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\AQS-data.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\AQS-DataUpdater.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: A subdirectory or file C:\Windows\system32\WinBioData already exists. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: 0 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: 0 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: 0 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Aquarius.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: Access is denied. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\AQS-data.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\AQS-DataUpdater.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: A subdirectory or file C:\Windows\system32\WinBioData already exists. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: 0 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\AQS-data.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\AQS-DataUpdater.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:07 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: A subdirectory or file C:\Windows\system32\WinBioData already exists. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\Aquarius.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\AQS-data.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\AQS-DataUpdater.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 27, 2024, 3:08 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 27, 2024, 3:07 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

Allocates read-write-execute memory (usually to unpack itself) (50 out of 296 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef423b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3ba4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9449c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe944a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9440b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9443c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9440d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe945d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe945d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe945e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe945e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9443d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe945e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe945e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe945e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 27, 2024, 3:07 p.m.	process_identifier: 1216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe945e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (50 out of 284 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI24802\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI38322\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24802\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24802\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26682\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24802\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI38322\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26682\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24802\rar.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24802\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24802\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26682\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI38322\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI38322\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI38322\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26682\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30082\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26682\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\EA4B.tmp\EA4C.tmp\EA4D.bat
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26682\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI26682\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI29762\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI37842\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI38322\rar.exe

Creates a suspicious process (6 events)

cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F2DB.tmp\F2EC.tmp\F2ED.bat C:\Users\test22\AppData\Local\Temp\Aquarius.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\8A59.tmp\8A5A.tmp\8A6A.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\A9A.tmp\A9B.tmp\AAB.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\EA4B.tmp\EA4C.tmp\EA4D.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\366C.tmp\366D.tmp\366E.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\5346.tmp\5347.tmp\5358.bat C:\Windows\system32\java.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\AQS-data.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 27, 2024, 3:07 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\F2DB.tmp\F2EC.tmp\F2ED.bat C:\Users\test22\AppData\Local\Temp\Aquarius.exe" filepath: C:\Windows\System32\cmd	1	1
ShellExecuteExW Aug. 27, 2024, 3:07 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\A9A.tmp\A9B.tmp\AAB.bat C:\Windows\system32\java.exe" filepath: C:\Windows\System32\cmd	1	1
ShellExecuteExW Aug. 27, 2024, 3:07 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\366C.tmp\366D.tmp\366E.bat C:\Windows\system32\java.exe" filepath: C:\Windows\System32\cmd	1	1
ShellExecuteExW Aug. 27, 2024, 3:08 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\8A59.tmp\8A5A.tmp\8A6A.bat C:\Windows\system32\java.exe" filepath: C:\Windows\System32\cmd	1	1
ShellExecuteExW Aug. 27, 2024, 3:01 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\EA4B.tmp\EA4C.tmp\EA4D.bat C:\Windows\system32\java.exe" filepath: C:\Windows\System32\cmd	1	1
ShellExecuteExW Aug. 27, 2024, 3:01 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\5346.tmp\5347.tmp\5358.bat C:\Windows\system32\java.exe" filepath: C:\Windows\System32\cmd	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x007a9a00', u'virtual_address': u'0x00022000', u'entropy': 7.999974717555543, u'name': u'.rsrc', u'virtual_size': u'0x007a99d4'}

entropy

7.99997471756

description

A section with a high entropy has been found

entropy

0.985246107484

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://www.microsoft.com

Yara rule detected in process memory (50 out of 536 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (16 events)

cmdline	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\F2DB.tmp\F2EC.tmp\F2ED.bat C:\Users\test22\AppData\Local\Temp\Aquarius.exe"
cmdline	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\5346.tmp\5347.tmp\5358.bat C:\Windows\system32\java.exe"
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\F2DB.tmp\F2EC.tmp\F2ED.bat C:\Users\test22\AppData\Local\Temp\Aquarius.exe"
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\A9A.tmp\A9B.tmp\AAB.bat C:\Windows\system32\java.exe"
cmdline	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\366C.tmp\366D.tmp\366E.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\8A59.tmp\8A5A.tmp\8A6A.bat C:\Windows\system32\java.exe"
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\EA4B.tmp\EA4C.tmp\EA4D.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\A9A.tmp\A9B.tmp\AAB.bat C:\Windows\system32\java.exe"
cmdline	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\8A59.tmp\8A5A.tmp\8A6A.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\EA4B.tmp\EA4C.tmp\EA4D.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\366C.tmp\366D.tmp\366E.bat C:\Windows\system32\java.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\5346.tmp\5347.tmp\5358.bat C:\Windows\system32\java.exe"

Installs itself for autorun at Windows startup (24 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HOME	reg_value	C:\Windows\system32\javaw.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaUp	reg_value	C:\Windows\system32\java.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HOME	reg_value	C:\Windows\system32\javaw.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaUp	reg_value	C:\Windows\system32\java.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HOME	reg_value	C:\Windows\system32\javaw.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaUp	reg_value	C:\Windows\system32\java.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HOME	reg_value	C:\Windows\system32\javaw.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaUp	reg_value	C:\Windows\system32\java.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HOME	reg_value	C:\Windows\system32\javaw.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaUp	reg_value	C:\Windows\system32\java.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater	reg_value	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HOME	reg_value	C:\Windows\system32\javaw.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javaUp	reg_value	C:\Windows\system32\java.exe

Deletes executed files from disk (3 events)

file	C:\Users\test22\AppData\Local\Temp\A9A.tmp\A9B.tmp\AAB.bat
file	C:\Users\test22\AppData\Local\Temp\A9A.tmp
file	C:\Users\test22\AppData\Local\Temp\A9A.tmp\A9B.tmp

Resumed a suspended thread in a remote process potentially indicative of process injection (44 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2568 resumed a thread in remote process 2700
Process injection	Process 2700 resumed a thread in remote process 3008
Process injection	Process 2700 resumed a thread in remote process 1216
Process injection	Process 2700 resumed a thread in remote process 1728
Process injection	Process 1728 resumed a thread in remote process 2228
Process injection	Process 2228 resumed a thread in remote process 2976
Process injection	Process 2228 resumed a thread in remote process 908
Process injection	Process 2228 resumed a thread in remote process 2256
Process injection	Process 2256 resumed a thread in remote process 2804
Process injection	Process 2804 resumed a thread in remote process 2480
Process injection	Process 2804 resumed a thread in remote process 2280
Process injection	Process 2804 resumed a thread in remote process 2848
Process injection	Process 2848 resumed a thread in remote process 1272
Process injection	Process 1272 resumed a thread in remote process 2668
Process injection	Process 1272 resumed a thread in remote process 1332
Process injection	Process 1272 resumed a thread in remote process 1948
Process injection	Process 1948 resumed a thread in remote process 3448
Process injection	Process 3448 resumed a thread in remote process 3832
Process injection	Process 3448 resumed a thread in remote process 3924
Process injection	Process 3448 resumed a thread in remote process 4080
Process injection	Process 4080 resumed a thread in remote process 3300
Process injection	Process 3300 resumed a thread in remote process 3784
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 2700	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 3008	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x000000000000007c suspend_count: 0 process_identifier: 1216	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 1728	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 2228	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 2976	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 908	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 2256	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000220 suspend_count: 1 process_identifier: 2804	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 2480	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 2280	1	0	0
NtResumeThread Aug. 27, 2024, 3:07 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 2848	1	0	0
NtResumeThread Aug. 27, 2024, 3:08 p.m.	thread_handle: 0x0000000000000220 suspend_count: 1 process_identifier: 1272	1	0	0
NtResumeThread Aug. 27, 2024, 3:08 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 2668	1	0	0
NtResumeThread Aug. 27, 2024, 3:08 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 1332	1	0	0
NtResumeThread Aug. 27, 2024, 3:08 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 1948	1	0	0
NtResumeThread Aug. 27, 2024, 3:01 p.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 3448	1	0	0
NtResumeThread Aug. 27, 2024, 3:01 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 3832	1	0	0
NtResumeThread Aug. 27, 2024, 3:01 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 3924	1	0	0
NtResumeThread Aug. 27, 2024, 3:01 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 4080	1	0	0
NtResumeThread Aug. 27, 2024, 3:01 p.m.	thread_handle: 0x0000000000000220 suspend_count: 1 process_identifier: 3300	1	0	0
NtResumeThread Aug. 27, 2024, 3:02 p.m.	thread_handle: 0x0000000000000070 suspend_count: 0 process_identifier: 3784	1	0	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Gen.tqzj
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Backdoor.wc
ALYac	Dump:Generic.Qasar.B.20E89577
Cylance	Unsafe
VIPRE	Dump:Generic.Qasar.B.20E89577
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005850dc1 )
BitDefender	Dump:Generic.Qasar.B.20E89577
K7GW	Riskware ( abcd70071 )
Cybereason	malicious.a6a929
Arcabit	Dump:Generic.Qasar.B.20E89577
VirIT	Trojan.Win32.Banker1.BMNA
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
McAfee	Artemis!A18FE6FA6A92
Avast	MSIL:Quasar-A [Rat]
ClamAV	Win.Malware.Generic-10031891-0
Kaspersky	Trojan-PSW.Win64.Alien.jbx
Alibaba	Trojan:MSIL/Quasar.a7307d3a
MicroWorld-eScan	Dump:Generic.Qasar.B.20E89577
Rising	Backdoor.Quasar!1.E5F1 (CLOUD)
Emsisoft	Dump:Generic.Qasar.B.20E89577 (B)
F-Secure	Trojan.TR/AD.Nekark.mmwfg
DrWeb	Trojan.MulDrop28.10503
TrendMicro	Backdoor.Win64.QUASARRAT.YXEHXZ
McAfeeD	ti!5B88C90D6BEF
FireEye	Generic.mg.a18fe6fa6a9296ba
Sophos	Troj/Quasar-AF
SentinelOne	Static AI - Suspicious PE
Google	Detected
Avira	TR/AD.Nekark.mmwfg
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.SchoolGirl
Kingsoft	Win64.Trojan-PSW.Alien.jbx
Gridinsoft	Backdoor.Win64.Quasar.tr
Microsoft	Trojan:MSIL/QuasarRat.RPZ!MTB
ZoneAlarm	Trojan-PSW.Win64.Alien.jbx
GData	Dump:Generic.Qasar.B.20E89577
Varist	W64/Bulz.BB.gen!Eldorado
DeepInstinct	MALICIOUS
VBA32	TrojanPSW.Win64.Banker
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan-Spy.Agent
TrendMicro-HouseCall	Backdoor.Win64.QUASARRAT.YXEHXZ
Tencent	Win64.Trojan-QQPass.QQRob.Gajl
MaxSecure	Trojan.Malware.276348112.susgen

The process java.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Users\test22\AppData\Roaming\AQS-data.exe
file	C:\Users\test22\AppData\Roaming\AQS-DataUpdater.exe
file	C:\Windows\System32\cmd.exe

Aquarius.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All