Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 11:19 a.m.	Sept. 30, 2024, 11:31 a.m.

Size	26.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f19c11a58219d9abea718193816c24f4`
SHA256	`932e0184008dd5a70adcdc725d0bc3cb80f3878df48ae8bff9e85cb9c2716f58`
CRC32	`8F4EA46F`
ssdeep	`768:a2bBsdP5J1kKjvMKxic+cvPgdTst9Ccq5eQBk7Sn5:alP5NMKxasoUUc+ISn5`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

66f6995655161_GoogleUpdater.exe "C:\Users\test22\AppData\Local\Temp\66f6995655161_GoogleUpdater.exe"
2552
- VPNAgentService.exe "C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe"
  2720
  - ChromeServiceHub.exe "C:\Users\test22\AppData\Local\Temp\LSMD\ChromeServiceHub.exe" --checker
    2820
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.33.6.223	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:19 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 11:19 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 30, 2024, 11:19 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x722b1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72182ba1 mscorlib+0x2f4593 @ 0x71434593 mscorlib+0x30a2fa @ 0x7144a2fa mscorlib+0x30a0e5 @ 0x7144a0e5 mscorlib+0x309e20 @ 0x71449e20 mscorlib+0x990b36 @ 0x71ad0b36 mscorlib+0xd0f717 @ 0x71e4f717 mscorlib+0xd232cd @ 0x71e632cd mscorlib+0x2ff1ce @ 0x7143f1ce 0xa023a8 mscorlib+0x34b466 @ 0x7148b466 mscorlib+0x34b429 @ 0x7148b429 mscorlib+0x3022a6 @ 0x714422a6 mscorlib+0x34b2d2 @ 0x7148b2d2 mscorlib+0x34b1f7 @ 0x7148b1f7 mscorlib+0x34b13b @ 0x7148b13b mscorlib+0x30d3a5 @ 0x7144d3a5 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95 DllGetClassObjectInternal+0x4a153 CorDllMainForThunk-0x423a8 clr+0x10f1cc @ 0x7220f1cc LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72177d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72177dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72177e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7210c3bf DllGetClassObjectInternal+0x4a0eb CorDllMainForThunk-0x42410 clr+0x10f164 @ 0x7220f164 DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x721ef54d DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7221a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 100986652 registers.edi: 0 registers.eax: 100986652 registers.ebp: 100986732 registers.edx: 32 registers.ebx: 7512032 registers.esi: 7234176 registers.ecx: 158608317	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 30, 2024, 11:19 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x722b1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72182ba1
mscorlib+0x2f4593 @ 0x71434593
mscorlib+0x30a2fa @ 0x7144a2fa
mscorlib+0x30a0e5 @ 0x7144a0e5
mscorlib+0x309e20 @ 0x71449e20
mscorlib+0x990b36 @ 0x71ad0b36
mscorlib+0xd0f717 @ 0x71e4f717
mscorlib+0xd232cd @ 0x71e632cd
mscorlib+0x2ff1ce @ 0x7143f1ce
0xa023a8
mscorlib+0x34b466 @ 0x7148b466
mscorlib+0x34b429 @ 0x7148b429
mscorlib+0x3022a6 @ 0x714422a6
mscorlib+0x34b2d2 @ 0x7148b2d2
mscorlib+0x34b1f7 @ 0x7148b1f7
mscorlib+0x34b13b @ 0x7148b13b
mscorlib+0x30d3a5 @ 0x7144d3a5
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x4a153 CorDllMainForThunk-0x423a8 clr+0x10f1cc @ 0x7220f1cc
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x72177d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x72177dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x72177e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7210c3bf
DllGetClassObjectInternal+0x4a0eb CorDllMainForThunk-0x42410 clr+0x10f164 @ 0x7220f164
DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x721ef54d
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7221a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 100986652
registers.edi: 0
registers.eax: 100986652
registers.ebp: 100986732
registers.edx: 32
registers.ebx: 7512032
registers.esi: 7234176
registers.ecx: 158608317

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:20 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72102000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72102000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:19 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_9f81a90523364bc5934cfc197f6a4689.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b94500f1aa034017a280ce7561412a2a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b886426e70a648daa83f7986a0c5aa92.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_4e0e6040d8764ad09d61c3970075af23.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_5ae4fb15dc934821a3f1f8f743be91cd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_f13cca576e144448b89b1cb245224f36.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_c764aa8a52bf42469a9f57bb3223fe40.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_aac14d341b3d4953bf3386426a2d1341.lnk

Creates a shortcut to an executable file (8 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_9f81a90523364bc5934cfc197f6a4689.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b94500f1aa034017a280ce7561412a2a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b886426e70a648daa83f7986a0c5aa92.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_4e0e6040d8764ad09d61c3970075af23.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_5ae4fb15dc934821a3f1f8f743be91cd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_f13cca576e144448b89b1cb245224f36.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_c764aa8a52bf42469a9f57bb3223fe40.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_aac14d341b3d4953bf3386426a2d1341.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 30, 2024, 11:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 30, 2024, 11:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

45.33.6.223

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 30, 2024, 11:19 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (9 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VPNAgentService_d6227da2092249bd80aef70c16728a70	reg_value	C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_9f81a90523364bc5934cfc197f6a4689.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b94500f1aa034017a280ce7561412a2a.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_b886426e70a648daa83f7986a0c5aa92.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_4e0e6040d8764ad09d61c3970075af23.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_5ae4fb15dc934821a3f1f8f743be91cd.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_f13cca576e144448b89b1cb245224f36.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_c764aa8a52bf42469a9f57bb3223fe40.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNAgentService_aac14d341b3d4953bf3386426a2d1341.lnk

Executed a process and injected code into it, probably while unpacking (41 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Sept. 30, 2024, 11:19 a.m.	thread_identifier: 2724 thread_handle: 0x0000053c process_identifier: 2720 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\LSMD\VPNAgentService.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000544	1	1
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2720	1	0
CreateProcessInternalW Sept. 30, 2024, 11:19 a.m.	thread_identifier: 2824 thread_handle: 0x00000478 process_identifier: 2820 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\LSMD\ChromeServiceHub.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\LSMD\ChromeServiceHub.exe" --checker filepath_r: C:\Users\test22\AppData\Local\Temp\LSMD\ChromeServiceHub.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000480	1	1
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000420 suspend_count: 1 process_identifier: 2720	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2720	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x000004f4 suspend_count: 1 process_identifier: 2720	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2720	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2720	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtSetContextThread Sept. 30, 2024, 11:19 a.m.	registers.eip: 1914186628 registers.esp: 100986860 registers.edi: 36866128 registers.eax: 36866166 registers.ebp: 100986864 registers.edx: 36871852 registers.ebx: 36866156 registers.esi: 130 registers.ecx: 36866166 thread_handle: 0x00000374 process_identifier: 2720	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2720	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2720	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtGetContextThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Sept. 30, 2024, 11:19 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2820	1	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Skyhigh	Artemis!Trojan
ALYac	IL:Trojan.MSILZilla.147204
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.Vec0
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	IL:Trojan.MSILZilla.147204
K7GW	Trojan ( 005baf951 )
K7AntiVirus	Trojan ( 005baf951 )
Arcabit	IL:Trojan.MSILZilla.D23F04
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Agent.XCZ
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Alibaba	TrojanDropper:MSIL/Scrop.024739e9
MicroWorld-eScan	IL:Trojan.MSILZilla.147204
Rising	Dropper.Scrop!8.EABB (TFE:dGZlOgzc0ZmlXSdKgQ)
Emsisoft	IL:Trojan.MSILZilla.147204 (B)
F-Secure	Trojan.TR/AVI.Agent.aeanu
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEI1Z
McAfeeD	Real Protect-LS!F19C11A58219
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	IL:Trojan.MSILZilla.147204
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AVI.Agent.aeanu
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	IL:Trojan.MSILZilla.147204
AhnLab-V3	Malware/Win.Generic.C5675615
McAfee	Artemis!F19C11A58219
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.MSIL
Ikarus	Trojan.MSIL.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEI1Z
Tencent	Msil.Trojan-Dropper.Scrop.Dkjl
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.XCZ!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan[dropper]:MSIL/Scrop.gyf

66f6995655161_GoogleUpdater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All