Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 29, 2024, 1:27 p.m.	Nov. 29, 2024, 1:29 p.m.

Size	17.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5f602a88eb5e8abb43c9035585f8dbef`
SHA256	`95b586a973d1b82e0ab59cd1127466d11fdf7fd352e10b52daa3e9a43d02d1f0`
CRC32	`D9677A96`
ssdeep	`393216:SlV2QFCou5oFWb7Z5+Tv5dPoen3vCiYBAnxVXdx:kV2QF/a5+TYiDF/`
PDB Path	C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb
Yara	Malicious_Library_Zero - Malicious_Library Antivirus - Contains references to security software IsPE32 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

TcMBq5M.exe "C:\Users\test22\AppData\Local\Temp\TcMBq5M.exe"
1508
- msiexec.exe "C:\Windows\system32\msiexec.exe" /i C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\Click2Profit.msi AI_SETUPEXEPATH=C:\Users\test22\AppData\Local\Temp\TcMBq5M.exe SETUPEXEDIR=C:\Users\test22\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732854310 " AI_EUIMSI=""
  2252
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
downloads.bablosoft.com	A 54.37.204.238	54.37.204.238
bablosoft.com	A 51.38.126.82	51.38.126.82

IP Address	Status	Action
164.124.101.2	Active	Moloch
51.38.126.82	Active	Moloch
54.37.204.238	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2054224	ET INFO Browser Automation Toolkit in DNS Lookup (bablosoft .com)	Potential Corporate Privacy Violation
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2054224	ET INFO Browser Automation Toolkit in DNS Lookup (bablosoft .com)	Potential Corporate Privacy Violation
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2036703	ET MALWARE Observed DNS Query to bablosoft Domain (downloads .bablosoft .com)	Potentially Bad Traffic
TCP 192.168.56.103:49220 -> 51.38.126.82:443	2054225	ET INFO Browser Automation Toolkit in TLS SNI (bablosoft .com)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49219 -> 51.38.126.82:443	2054225	ET INFO Browser Automation Toolkit in TLS SNI (bablosoft .com)	Potential Corporate Privacy Violation
TCP 51.38.126.82:443 -> 192.168.56.103:49220	2036686	ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)	Potentially Bad Traffic
TCP 51.38.126.82:443 -> 192.168.56.103:49219	2036686	ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49220 51.38.126.82:443	C=US, O=Let's Encrypt, CN=R10	CN=bablosoft.com	40:31:e7:5f:f4:76:a4:66:67:6c:c6:d0:15:9f:6a:ab:be:5c:e1:1e
TLS 1.2 192.168.56.103:49219 51.38.126.82:443	C=US, O=Let's Encrypt, CN=R10	CN=bablosoft.com	40:31:e7:5f:f4:76:a4:66:67:6c:c6:d0:15:9f:6a:ab:be:5c:e1:1e

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 29, 2024, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 29, 2024, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2024, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2024, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2024, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 29, 2024, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2024, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2024, 1:20 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2024, 1:20 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 29, 2024, 1:27 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 29, 2024, 1:27 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 29, 2024, 1:27 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x75c6f777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x754d419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7555011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x75b45d00 StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x75b45ce1 StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x75b45d3f SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x75b78f82 SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x75b78ec3 PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x75b6bac3 SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x75b788e8 New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x746f5180 MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x744d1bab BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80070005 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 85324580 registers.edi: 1974991376 registers.eax: 85324580 registers.ebp: 85324660 registers.edx: 0 registers.ebx: 5274372 registers.esi: 2147942405 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 29, 2024, 1:27 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x75c6f777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x754d419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7555011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x75b45d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x75b45ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x75b45d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x75b78f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x75b78ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x75b6bac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x75b788e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x746f5180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x744d1bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80070005
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 85324580
registers.edi: 1974991376
registers.eax: 85324580
registers.ebp: 85324660
registers.edx: 0
registers.ebx: 5274372
registers.esi: 2147942405
registers.ecx: 0

Performs some HTTP requests (1 event)

request

GET http://downloads.bablosoft.com/distr/FastExecuteScriptProtected64/25.4.1/FastExecuteScriptProtected.x64.zip

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 1508 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 1508 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03d50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ca0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:27 p.m.	process_identifier: 2252 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2024, 1:20 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 53 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9917153280 free_bytes_available: 9917153280 root_path: \\?\C:\Users\test22\AppData\Local\Temp\ total_number_of_bytes: 9917153280	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9873694720 free_bytes_available: 9873694720 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9873694720	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9870757888 free_bytes_available: 9870757888 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Nov. 29, 2024, 1:27 p.m.	number_of_free_clusters: 2409853 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9910554624 free_bytes_available: 9910554624 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9910554624	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9910554624 free_bytes_available: 9910554624 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9910554624	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9910554624 free_bytes_available: 9910554624 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9910554624	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9910554624 free_bytes_available: 9910554624 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9910554624	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9909952512 free_bytes_available: 9909952512 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9909952512	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9906491392 free_bytes_available: 9906491392 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9906491392	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9905311744 free_bytes_available: 9905311744 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9905311744	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9905287168 free_bytes_available: 9905287168 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9905287168	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9903673344 free_bytes_available: 9903673344 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9903673344	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9903214592 free_bytes_available: 9903214592 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9903214592	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9902239744 free_bytes_available: 9902239744 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9902239744	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9887006720 free_bytes_available: 9887006720 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9887006720	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886957568 free_bytes_available: 9886957568 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886957568	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886908416 free_bytes_available: 9886908416 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886908416	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886871552 free_bytes_available: 9886871552 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886871552	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886826496 free_bytes_available: 9886826496 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886826496	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886789632 free_bytes_available: 9886789632 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886789632	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886535680 free_bytes_available: 9886535680 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886535680	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886486528 free_bytes_available: 9886486528 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886486528	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886453760 free_bytes_available: 9886453760 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886453760	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9886412800 free_bytes_available: 9886412800 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9886412800	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9881735168 free_bytes_available: 9881735168 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9881735168	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9876709376 free_bytes_available: 9876709376 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9876709376	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9875845120 free_bytes_available: 9875845120 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9875845120	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9875582976 free_bytes_available: 9875582976 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9875582976	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9871114240 free_bytes_available: 9871114240 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9871114240	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9871077376 free_bytes_available: 9871077376 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9871077376	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9870753792 free_bytes_available: 9870753792 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9870753792	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9870725120 free_bytes_available: 9870725120 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9870725120	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9870389248 free_bytes_available: 9870389248 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9870389248	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9869357056 free_bytes_available: 9869357056 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9869357056	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9869078528 free_bytes_available: 9869078528 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9869078528	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9868898304 free_bytes_available: 9868898304 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9868898304	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9868738560 free_bytes_available: 9868738560 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9868738560	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9868562432 free_bytes_available: 9868562432 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9868562432	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9868562432 free_bytes_available: 9868562432 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9868562432	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9868398592 free_bytes_available: 9868398592 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9868398592	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9868226560 free_bytes_available: 9868226560 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9868226560	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9868087296 free_bytes_available: 9868087296 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9868087296	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9867993088 free_bytes_available: 9867993088 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9867993088	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9867837440 free_bytes_available: 9867837440 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9867837440	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9867706368 free_bytes_available: 9867706368 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9867706368	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9867579392 free_bytes_available: 9867579392 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9867579392	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9867423744 free_bytes_available: 9867423744 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9867423744	1	1
GetDiskFreeSpaceExW Nov. 29, 2024, 1:27 p.m.	total_number_of_free_bytes: 9867264000 free_bytes_available: 9867264000 root_path: \\?\C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\ total_number_of_bytes: 9867264000	1	1

Creates executable files on the filesystem (30 events)

file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\bearer\qgenericbearer.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qjpeg.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\msvcp120.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Network.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Widgets.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\Click2Profit.msi
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qicns.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qwebp.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\bearer\qnativewifibearer.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\D3Dcompiler_47.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\platforms\qwindows.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\task.bat
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Svg.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qtga.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qico.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qdds.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\ssleay32.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\SystemCare1.0.exe
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qgif.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libeay32.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libEGL.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Core.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Gui.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qwbmp.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\opengl32sw.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\msvcr120.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qsvg.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libGLESV2.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\iconengines\qsvgicon.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qtiff.dll

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemCare1.0.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Drops an executable to the user AppData folder (29 events)

file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qwebp.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Core.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qsvg.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\msvcr120.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\msvcp120.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\platforms\qwindows.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qicns.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qgif.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qico.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Gui.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\bearer\qgenericbearer.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\ssleay32.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\bearer\qnativewifibearer.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Widgets.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libEGL.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libGLESV2.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\iconengines\qsvgicon.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qtga.dll
file	C:\Users\test22\AppData\Local\Temp\MSIC648.tmp
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qtiff.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\D3Dcompiler_47.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\SystemCare1.0.exe
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qjpeg.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qdds.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Svg.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\Qt5Network.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\opengl32sw.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\libeay32.dll
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\LocalAppDataFolder\Corporation\imageformats\qwbmp.dll

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Bkav	W32.AIDetectMalware
CrowdStrike	win/malicious_confidence_70% (W)
Kaspersky	HEUR:Backdoor.Win32.Farfli.gen
Zillya	Backdoor.Farfli.Win32.13679

Checks for the Locally Unique Identifier on the system for a suspicious privilege (39 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:27 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:20 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:20 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:20 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:20 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:20 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:20 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:20 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2024, 1:20 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Deletes executed files from disk (2 events)

file
file	C:\Users\test22\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\Click2Profit.msi

TcMBq5M.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All