Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 9:25 a.m.	Sept. 30, 2024, 9:32 a.m.

Size	26.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`dcdb897d2801402f78c645729cbde7ca`
SHA256	`24efbb21f68a0de095014daeb300879df8428847a1e9586b8e62a54e4e548d99`
CRC32	`6800D96B`
ssdeep	`768:xrbBRXZPJ/kOjWMKzUq7cvPgCohb9CcqJlSa5:xjZPiMKzLsHo5UcISa5`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

GoogleUpdater.exe "C:\Users\test22\AppData\Local\Temp\GoogleUpdater.exe"
2552
- VPNAgentService.exe "C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe"
  2716
  - ChromeServiceHub.exe "C:\Users\test22\AppData\Local\Temp\LSMD\ChromeServiceHub.exe" --checker
    2812
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
138.201.163.183	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 9:25 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2024, 9:25 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 9:25 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 9:25 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 9:25 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 9:25 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 9:25 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 9:25 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00671000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:27 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72102000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72102000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:25 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (12 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b94500f1aa034017a280ce7561412a2a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_5ae4fb15dc934821a3f1f8f743be91cd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_95f9a2f928e94f7299505bec64b48ece.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b886426e70a648daa83f7986a0c5aa92.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_4e0e6040d8764ad09d61c3970075af23.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_9f81a90523364bc5934cfc197f6a4689.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_f13cca576e144448b89b1cb245224f36.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_c764aa8a52bf42469a9f57bb3223fe40.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_aac14d341b3d4953bf3386426a2d1341.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_376f3bb240a24a699f20aa1200e7173c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b7d35abd15e94f5795583a2b96d7d5bc.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_25a5d6b858224a5abca184f3818bf965.lnk

Creates a shortcut to an executable file (12 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b94500f1aa034017a280ce7561412a2a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b886426e70a648daa83f7986a0c5aa92.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_95f9a2f928e94f7299505bec64b48ece.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_4e0e6040d8764ad09d61c3970075af23.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_9f81a90523364bc5934cfc197f6a4689.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_f13cca576e144448b89b1cb245224f36.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_c764aa8a52bf42469a9f57bb3223fe40.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_aac14d341b3d4953bf3386426a2d1341.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_376f3bb240a24a699f20aa1200e7173c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b7d35abd15e94f5795583a2b96d7d5bc.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_5ae4fb15dc934821a3f1f8f743be91cd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_25a5d6b858224a5abca184f3818bf965.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 30, 2024, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 30, 2024, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

138.201.163.183

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 30, 2024, 9:25 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (13 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VPNAgentService_d6227da2092249bd80aef70c16728a70	reg_value	C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b94500f1aa034017a280ce7561412a2a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_5ae4fb15dc934821a3f1f8f743be91cd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_95f9a2f928e94f7299505bec64b48ece.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b886426e70a648daa83f7986a0c5aa92.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_4e0e6040d8764ad09d61c3970075af23.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_9f81a90523364bc5934cfc197f6a4689.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_f13cca576e144448b89b1cb245224f36.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_c764aa8a52bf42469a9f57bb3223fe40.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_aac14d341b3d4953bf3386426a2d1341.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_376f3bb240a24a699f20aa1200e7173c.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b7d35abd15e94f5795583a2b96d7d5bc.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_25a5d6b858224a5abca184f3818bf965.lnk

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

138.201.163.183:443

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.MSILHeracles.4!c
ALYac	IL:Trojan.MSILZilla.147204
Cylance	Unsafe
VIPRE	IL:Trojan.MSILZilla.147204
Sangfor	Trojan.Win32.Agent.Vlkq
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	IL:Trojan.MSILZilla.147204
K7GW	Trojan ( 005baf951 )
K7AntiVirus	Trojan ( 005baf951 )
Arcabit	IL:Trojan.MSILZilla.D23F04
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of MSIL/Agent.XCZ
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Alibaba	TrojanDropper:MSIL/Scrop.d65a9365
MicroWorld-eScan	IL:Trojan.MSILZilla.147204
Rising	Dropper.Scrop!8.EABB (CLOUD)
Emsisoft	IL:Trojan.MSILZilla.147204 (B)
F-Secure	Trojan.TR/Agent.qkixb
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEI2Z
McAfeeD	Real Protect-LS!DCDB897D2801
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	IL:Trojan.MSILZilla.147204
Google	Detected
Avira	TR/Agent.qkixb
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	MSIL.Trojan-Dropper.Scrop.gen
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
GData	IL:Trojan.MSILZilla.147204
AhnLab-V3	Malware/Win.Generic.C5675615
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.MSIL.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEI2Z
Tencent	Msil.Trojan-Dropper.Scrop.Gtgl
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.XCZ!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:MSIL/Wacatac.B9nj

GoogleUpdater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All