Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 27, 2024, 1:35 p.m.	Sept. 27, 2024, 1:40 p.m.

Size	25.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`168087c84c5ff3664e5e2f4eec18d7dd`
SHA256	`2a7cdb79045658b9c02ebbb159e5b3680d7d6d832dbd757572f7d202c3fa935d`
CRC32	`85B3FB54`
ssdeep	`768:0Z7bBiDrq+NhJvjhTxhi8DD08T10DnS1RW:0ZErqqTxhZDA8TKS1RW`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

66f424e80b9cc_idsmds.exe "C:\Users\test22\AppData\Local\Temp\66f424e80b9cc_idsmds.exe"
652
- MFDBG.exe "C:\Users\test22\AppData\Local\Temp\Malewmf\MFDBG.exe"
  2204
  - FDWDZ.exe "C:\Users\test22\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
    2276
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 1054 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 27, 2024, 1:35 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 27, 2024, 1:35 p.m.			0	0
IsDebuggerPresent Sept. 27, 2024, 1:35 p.m.			0	0
IsDebuggerPresent Sept. 27, 2024, 1:35 p.m.			0	0
IsDebuggerPresent Sept. 27, 2024, 1:35 p.m.			0	0
IsDebuggerPresent Sept. 27, 2024, 1:35 p.m.			0	0
IsDebuggerPresent Sept. 27, 2024, 1:35 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 27, 2024, 1:35 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00801000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:28 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000049d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 27, 2024, 1:35 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 27, 2024, 1:30 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 9934520320 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (50 out of 527 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7b4d82a7452841a38374c30f0e9cce0d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc0983cf4d054b68827e3178e2df6065.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa7012c6bd7544579449370e21e39cbf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a238421cc6e046ee9afa4a842dc9297d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_12122efb88d6483cbc926a0cba8ec432.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5a4a469b249044488b08e7aca40c986f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d585ca74b49c4b15b4ce52500936bfff.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78f2b7cc73234088b2beebe878e4f611.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_90f3544b3bff452f817b866c271ee340.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da38fabb5996483eb5f4c1edd45f6bf0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_296167b838544d109fe515fbb8f7937f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0d8aeb7e665f458ab7fd3f1888609f91.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6fcc2f6a76ab45dfb07b75a34a649191.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fae5bc957541472db63b2f946221090d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8bc4c7f297654344a2bf438218d043bf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_706bebb1df3c451993401dd7fac3ff70.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f8e370caabc84ac0b407d70be2c2dab0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_756ee24b1047411f85203b6233f1e62e.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_51b98c633bf341c3b6b1046c848b00cb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5ee3b9ecb8ee48d3a2e625eee5095f68.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0b55b44b618a433785db745a41586e7f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d12dc38b51be4edcafbbb76c062fa255.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_745ea9253dd34c82aa8b7989ca506bb2.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_13e15e20fc91492ebfa104647d063ff0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0119b4600c494d26b8f2e518b17df522.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_872035c3ec7d42629f860715cf1e4118.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eef263b78ad2438f96af40883076e4b3.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_104a09b6e4f4431799041ba01d87acdb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d0580105859491482f424daa20fc16a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_37dcb4e74d484fd0a6304fd57c6120fa.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6bdca32d45394d8697dead13e95d447f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a29ddb4f5e384ee3a441b7cc41e4a483.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78ef1904ccc6415cb803a934a5bd2663.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2a828bcbb39b44a7b487eb5912fa9263.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_de2d4a74936943faaa7dc7b4643aca39.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_507d138327c444b890cb3eadcd8b86a8.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1437ab9bb0c04d318e11d84606c85d3c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5cf8d6000ef34068a127874a21b6d46c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_387dbe4382ce46399c6aedc476af0c07.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_120b0cb65c78449db274cb969048a0c1.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_71a42aa3cc8a462490743206a4c045bd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc61fc372487433985cd1accff97051e.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8771309aa3d24116bb9b8ab6096384cc.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ff7cd7ceb1e54a4d81833e1e4d933d49.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b217063d8d504a978ef2c6596d65e667.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_63701eca491842dfac2e876864bc5700.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_137c63096a074a0b9923c07c0d18caea.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5b6205188bf4fb281fd60130db89cea.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c2bb0231617f4fe486a7cb4add39b390.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7ab21b6a37dd497991764d09d9e3f34d.lnk

Creates a shortcut to an executable file (50 out of 527 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7b4d82a7452841a38374c30f0e9cce0d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc0983cf4d054b68827e3178e2df6065.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa7012c6bd7544579449370e21e39cbf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a238421cc6e046ee9afa4a842dc9297d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_12122efb88d6483cbc926a0cba8ec432.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5a4a469b249044488b08e7aca40c986f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d585ca74b49c4b15b4ce52500936bfff.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78f2b7cc73234088b2beebe878e4f611.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_90f3544b3bff452f817b866c271ee340.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da38fabb5996483eb5f4c1edd45f6bf0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_296167b838544d109fe515fbb8f7937f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0d8aeb7e665f458ab7fd3f1888609f91.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6fcc2f6a76ab45dfb07b75a34a649191.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fae5bc957541472db63b2f946221090d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8bc4c7f297654344a2bf438218d043bf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_706bebb1df3c451993401dd7fac3ff70.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f8e370caabc84ac0b407d70be2c2dab0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_756ee24b1047411f85203b6233f1e62e.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_51b98c633bf341c3b6b1046c848b00cb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5ee3b9ecb8ee48d3a2e625eee5095f68.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0b55b44b618a433785db745a41586e7f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d12dc38b51be4edcafbbb76c062fa255.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_745ea9253dd34c82aa8b7989ca506bb2.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_13e15e20fc91492ebfa104647d063ff0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0119b4600c494d26b8f2e518b17df522.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_872035c3ec7d42629f860715cf1e4118.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eef263b78ad2438f96af40883076e4b3.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_104a09b6e4f4431799041ba01d87acdb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d0580105859491482f424daa20fc16a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_37dcb4e74d484fd0a6304fd57c6120fa.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6bdca32d45394d8697dead13e95d447f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a29ddb4f5e384ee3a441b7cc41e4a483.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78ef1904ccc6415cb803a934a5bd2663.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2a828bcbb39b44a7b487eb5912fa9263.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_de2d4a74936943faaa7dc7b4643aca39.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_507d138327c444b890cb3eadcd8b86a8.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1437ab9bb0c04d318e11d84606c85d3c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5cf8d6000ef34068a127874a21b6d46c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_387dbe4382ce46399c6aedc476af0c07.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_120b0cb65c78449db274cb969048a0c1.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_71a42aa3cc8a462490743206a4c045bd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc61fc372487433985cd1accff97051e.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8771309aa3d24116bb9b8ab6096384cc.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ff7cd7ceb1e54a4d81833e1e4d933d49.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b217063d8d504a978ef2c6596d65e667.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_63701eca491842dfac2e876864bc5700.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_137c63096a074a0b9923c07c0d18caea.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5b6205188bf4fb281fd60130db89cea.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c2bb0231617f4fe486a7cb4add39b390.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7ab21b6a37dd497991764d09d9e3f34d.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\Malewmf\MFDBG.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Malewmf\MFDBG.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 27, 2024, 1:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 27, 2024, 1:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 27, 2024, 1:35 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (50 out of 528 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MFDBG_fe11a0e4a2bd4437880fc17f565ff982	reg_value	C:\Users\test22\AppData\Local\Temp\Malewmf\MFDBG.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7b4d82a7452841a38374c30f0e9cce0d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc0983cf4d054b68827e3178e2df6065.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa7012c6bd7544579449370e21e39cbf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a238421cc6e046ee9afa4a842dc9297d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_12122efb88d6483cbc926a0cba8ec432.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5a4a469b249044488b08e7aca40c986f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d585ca74b49c4b15b4ce52500936bfff.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78f2b7cc73234088b2beebe878e4f611.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_90f3544b3bff452f817b866c271ee340.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da38fabb5996483eb5f4c1edd45f6bf0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_296167b838544d109fe515fbb8f7937f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0d8aeb7e665f458ab7fd3f1888609f91.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6fcc2f6a76ab45dfb07b75a34a649191.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fae5bc957541472db63b2f946221090d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8bc4c7f297654344a2bf438218d043bf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_706bebb1df3c451993401dd7fac3ff70.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f8e370caabc84ac0b407d70be2c2dab0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_756ee24b1047411f85203b6233f1e62e.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_51b98c633bf341c3b6b1046c848b00cb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5ee3b9ecb8ee48d3a2e625eee5095f68.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0b55b44b618a433785db745a41586e7f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d12dc38b51be4edcafbbb76c062fa255.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_745ea9253dd34c82aa8b7989ca506bb2.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_13e15e20fc91492ebfa104647d063ff0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0119b4600c494d26b8f2e518b17df522.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_872035c3ec7d42629f860715cf1e4118.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eef263b78ad2438f96af40883076e4b3.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_104a09b6e4f4431799041ba01d87acdb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d0580105859491482f424daa20fc16a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_37dcb4e74d484fd0a6304fd57c6120fa.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6bdca32d45394d8697dead13e95d447f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a29ddb4f5e384ee3a441b7cc41e4a483.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78ef1904ccc6415cb803a934a5bd2663.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2a828bcbb39b44a7b487eb5912fa9263.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_de2d4a74936943faaa7dc7b4643aca39.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_507d138327c444b890cb3eadcd8b86a8.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1437ab9bb0c04d318e11d84606c85d3c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5cf8d6000ef34068a127874a21b6d46c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_387dbe4382ce46399c6aedc476af0c07.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_120b0cb65c78449db274cb969048a0c1.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_71a42aa3cc8a462490743206a4c045bd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc61fc372487433985cd1accff97051e.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8771309aa3d24116bb9b8ab6096384cc.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ff7cd7ceb1e54a4d81833e1e4d933d49.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b217063d8d504a978ef2c6596d65e667.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_63701eca491842dfac2e876864bc5700.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_137c63096a074a0b9923c07c0d18caea.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5b6205188bf4fb281fd60130db89cea.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c2bb0231617f4fe486a7cb4add39b390.lnk

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\Malewmf\MFDBG.exe

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 528 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7b4d82a7452841a38374c30f0e9cce0d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc0983cf4d054b68827e3178e2df6065.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fa7012c6bd7544579449370e21e39cbf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a238421cc6e046ee9afa4a842dc9297d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_12122efb88d6483cbc926a0cba8ec432.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5a4a469b249044488b08e7aca40c986f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d585ca74b49c4b15b4ce52500936bfff.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78f2b7cc73234088b2beebe878e4f611.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_90f3544b3bff452f817b866c271ee340.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_35673a3ed2d64dc2b4546b05c957c425.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_da38fabb5996483eb5f4c1edd45f6bf0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_296167b838544d109fe515fbb8f7937f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0d8aeb7e665f458ab7fd3f1888609f91.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6fcc2f6a76ab45dfb07b75a34a649191.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fae5bc957541472db63b2f946221090d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8bc4c7f297654344a2bf438218d043bf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_706bebb1df3c451993401dd7fac3ff70.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f8e370caabc84ac0b407d70be2c2dab0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_756ee24b1047411f85203b6233f1e62e.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_51b98c633bf341c3b6b1046c848b00cb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5ee3b9ecb8ee48d3a2e625eee5095f68.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0b55b44b618a433785db745a41586e7f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d12dc38b51be4edcafbbb76c062fa255.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_745ea9253dd34c82aa8b7989ca506bb2.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_13e15e20fc91492ebfa104647d063ff0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0119b4600c494d26b8f2e518b17df522.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_872035c3ec7d42629f860715cf1e4118.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_eef263b78ad2438f96af40883076e4b3.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_104a09b6e4f4431799041ba01d87acdb.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4d0580105859491482f424daa20fc16a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_37dcb4e74d484fd0a6304fd57c6120fa.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6bdca32d45394d8697dead13e95d447f.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a29ddb4f5e384ee3a441b7cc41e4a483.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_78ef1904ccc6415cb803a934a5bd2663.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2a828bcbb39b44a7b487eb5912fa9263.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_507d138327c444b890cb3eadcd8b86a8.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1437ab9bb0c04d318e11d84606c85d3c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5cf8d6000ef34068a127874a21b6d46c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_387dbe4382ce46399c6aedc476af0c07.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_120b0cb65c78449db274cb969048a0c1.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_71a42aa3cc8a462490743206a4c045bd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bc61fc372487433985cd1accff97051e.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_07769ed966434574ab894aeead8068ee.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f0afc20e004c4f90accee27dac0c832d.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b217063d8d504a978ef2c6596d65e667.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_63701eca491842dfac2e876864bc5700.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5dc9089d3c584519aa8520a813731ce1.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7f5fdff666b4411b8858e5dfb72d109a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5b6205188bf4fb281fd60130db89cea.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c2bb0231617f4fe486a7cb4add39b390.lnk

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Skyhigh	Artemis!Trojan
Cylance	Unsafe
VIPRE	Gen:Variant.MSILHeracles.181537
Sangfor	Dropper.Win32.Agent.Vx78
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Trojan.GenericKD.74195074
Arcabit	Trojan.Generic.D46C2082
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of MSIL/Agent.XCZ
APEX	Malicious
Avast	DropperX-gen [Drp]
MicroWorld-eScan	Trojan.GenericKD.74195074
Emsisoft	Trojan.GenericKD.74195074 (B)
F-Secure	Trojan.TR/Drop.Agent.dbyys
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEIZZ
McAfeeD	Real Protect-LS!168087C84C5F
CTX	exe.trojan.artemis
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Trojan.GenericKD.74195074
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Drop.Agent.dbyys
Kingsoft	MSIL.Trojan-Dropper.Agent.gen
Gridinsoft	Ransom.Win32.Wacatac.cl
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
GData	Trojan.GenericKD.74195074
McAfee	Artemis!168087C84C5F
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.MSIL.Basic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEIZZ
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat
AVG	DropperX-gen [Drp]
Paloalto	generic.ml
alibabacloud	Trojan[dropper]:MSIL/Wacatac.B9nj

66f424e80b9cc_idsmds.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All