Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 9, 2021, 11:05 a.m.	March 9, 2021, 11:07 a.m.

Size	6.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`14ad7cf3de11bae58071e0e4cc2ab285`
SHA256	`7d0c6a122569bd9c1d9e7ce1027e46a8ccedf0a99d429bb2756e35b64c9274fd`
CRC32	`0BE47DA8`
ssdeep	`196608:K7k1cL5p/FkQTTGFm1V9xKqp0ALSk/qUPbSLnRARWZ6+riBG/FFU:Ck1GQQUm1V9AmT2kV2ARkHicFFU`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasRichSignature - Rich Signature Check win_mutex - Create or check mutex win_registry - Affect system registries win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero

idman623build12_ws1032687615.exe "C:\Users\test22\AppData\Local\Temp\idman623build12_ws1032687615.exe"
1016
- IDM1.tmp "C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\"
  2764
  - regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
    3024
    - regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      2832
  - regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
    1976
    - regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      1224
  - regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
    2660
    - regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      1884
  - idmBroker.exe "C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
    2384
  - IDMan.exe "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
    1408
taskhost.exe "taskhost.exe"
1284
dwm.exe "C:\Windows\system32\Dwm.exe"
1496
explorer.exe C:\Windows\Explorer.EXE
1848
SearchProtocolHost.exe "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3832866432-4053218753-3017428901-10012_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3832866432-4053218753-3017428901-10012 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2120
mobsync.exe C:\Windows\System32\mobsync.exe -Embedding
844

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameA March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2021, 11:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 9, 2021, 11:05 a.m.			0	0
IsDebuggerPresent March 9, 2021, 11:05 a.m.			0	0

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 9, 2021, 11:05 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 9, 2021, 11:05 a.m.	stacktrace: idman623build12_ws1032687615+0xa3cd @ 0x40a3cd exception.instruction_r: 8a 08 40 84 c9 75 f9 2b c2 c7 45 fc fe ff ff ff exception.symbol: lstrlen+0x1a lstrcmpW-0x3f kernelbase+0xa34a exception.instruction: mov cl, byte ptr [eax] exception.module: KERNELBASE.dll exception.exception_code: 0xc0000005 exception.offset: 41802 exception.address: 0x76a7a34a registers.esp: 31326000 registers.edi: 2178809873 registers.eax: 2178809873 registers.ebp: 31326040 registers.edx: 2178809874 registers.ebx: 31900044 registers.esi: 4235214 registers.ecx: 2000500858	1	0	0
__exception__ March 9, 2021, 10:58 a.m.	stacktrace: 0x2791304 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 79 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2791304 registers.r14: 0 registers.r15: 65646 registers.rcx: 48 registers.rsi: 2149646339 registers.r10: 0 registers.rbx: 0 registers.rsp: 48363272 registers.r11: 48364272 registers.r8: 1999536524 registers.r9: 0 registers.rdx: 8796092658256 registers.r12: 4294967295 registers.rbp: 48363392 registers.rdi: 0 registers.rax: 41489152 registers.r13: 8791671956160	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 region_size: 17358848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01de0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01de0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef33c3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077050000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076afe000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdddd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff021000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff4c3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000738c8000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd583000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000018000e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077050000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076afe000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdddd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000738c8000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd583000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180013000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077050000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076afe000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdddd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000738c8000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 10:59 a.m.	process_identifier: 1884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd583000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2021, 11:06 a.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW March 9, 2021, 11:05 a.m.	total_number_of_free_bytes: 13720915968 free_bytes_available: 13720915968 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW March 9, 2021, 10:59 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13390270464 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW March 9, 2021, 10:59 a.m.	total_number_of_free_bytes: 13391347712 free_bytes_available: 13391347712 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW March 9, 2021, 11:05 a.m.	total_number_of_free_bytes: 13702369280 free_bytes_available: 13702369280 root_path: C: total_number_of_bytes: 34252779520	1	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_CURRENT_USER\Software\Opera Software
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (13 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Grabber Help.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnk
file	C:\Users\test22\Desktop\Internet Download Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Grabber Help.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnk

Creates a shortcut to an executable file (25 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Grabber Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnk
file	C:\Users\test22\Desktop\Internet Download Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Grabber Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnk

Creates a suspicious process (6 events)

cmdline	regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
cmdline	regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
cmdline	"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
cmdline	regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
cmdline	"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
cmdline	"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

Drops an executable to the user AppData folder (21 events)

file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM40.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM46.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM49.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM35.tmp
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM7.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM106.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM52.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM53.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM5.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM8.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM39.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM36.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM100.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM3.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM45.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM94.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM72.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM88.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM92.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW March 9, 2021, 11:05 a.m.	snapshot_handle: 0x00000174 process_name: mobsync.exe process_identifier: 844	1	1
Process32NextW March 9, 2021, 11:05 a.m.	snapshot_handle: 0x00000174 process_name: pw.exe process_identifier: 2684	1	1
Process32NextW March 9, 2021, 11:05 a.m.	snapshot_handle: 0x00000174 process_name: taskhost.exe process_identifier: 752	1	1
Process32NextW March 9, 2021, 11:05 a.m.	snapshot_handle: 0x00000174 process_name: sdclt.exe process_identifier: 2420	1	1
Process32NextW March 9, 2021, 11:05 a.m.	snapshot_handle: 0x00000174 process_name: idman623build12_ws1032687615.exe process_identifier: 1016	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00014800', u'virtual_address': u'0x00007000', u'entropy': 7.923799265592882, u'name': u'.rsrc', u'virtual_size': u'0x00015000'}

entropy

7.92379926559

description

A section with a high entropy has been found

entropy

0.788461538462

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 9, 2021, 11:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 9, 2021, 11:06 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (50 out of 517 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://qual.ocsp.d-trust.net0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
url	http://www.signatur.rtr.at/de/directory/cps.html0
url	http://www.globaltrust.info0

Yara rule detected in process memory (50 out of 567 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA March 9, 2021, 11:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000288 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0	0
RegOpenKeyExA March 9, 2021, 11:06 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2	0

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
cmdline	"C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
cmdline	regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
cmdline	"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
cmdline	/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
cmdline	regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
cmdline	"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
cmdline	regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
cmdline	"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
cmdline	"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
cmdline	/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

Allocates execute permission to another process indicative of possible code injection (9 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000208	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1496 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000021c	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1848 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2816 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 844 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2684 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1

Installs itself for autorun at Windows startup (8 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll
file	C:\Windows\system.ini

Operates on local firewall's policies and settings (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (14 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1016 created a remote thread in non-child process 1284
Process injection	Process 1016 created a remote thread in non-child process 1496
Process injection	Process 1016 created a remote thread in non-child process 1848
Process injection	Process 1016 created a remote thread in non-child process 2816
Process injection	Process 1016 created a remote thread in non-child process 2120
Process injection	Process 1016 created a remote thread in non-child process 844
Process injection	Process 1016 created a remote thread in non-child process 2684
CreateRemoteThread March 9, 2021, 11:05 a.m.	thread_identifier: 0 process_identifier: 1284 function_address: 0x01e70000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000208	0	0
CreateRemoteThread March 9, 2021, 11:05 a.m.	thread_identifier: 0 process_identifier: 1496 function_address: 0x01cc0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x0000021c	0	0
CreateRemoteThread March 9, 2021, 11:05 a.m.	thread_identifier: 0 process_identifier: 1848 function_address: 0x02b20000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001d8	0	0
CreateRemoteThread March 9, 2021, 11:05 a.m.	thread_identifier: 0 process_identifier: 2816 function_address: 0x00140000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001d8	0	0
CreateRemoteThread March 9, 2021, 11:05 a.m.	thread_identifier: 0 process_identifier: 2120 function_address: 0x001a0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001d8	0	0
CreateRemoteThread March 9, 2021, 11:05 a.m.	thread_identifier: 0 process_identifier: 844 function_address: 0x002e0000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x00000258	0	0
CreateRemoteThread March 9, 2021, 11:05 a.m.	thread_identifier: 0 process_identifier: 2684 function_address: 0x00510000 flags: 0 stack_size: 0 parameter: 0x00000000 process_handle: 0x000001d8	0	0

Manipulates memory of a non-child process indicative of process injection (17 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1016 manipulating memory of non-child process 1284
Process injection	Process 1016 manipulating memory of non-child process 1496
Process injection	Process 1016 manipulating memory of non-child process 1848
Process injection	Process 1016 manipulating memory of non-child process 2816
Process injection	Process 1016 manipulating memory of non-child process 2120
Process injection	Process 1016 manipulating memory of non-child process 844
Process injection	Process 1016 manipulating memory of non-child process 2684
Process injection	Process 1016 manipulating memory of non-child process 1016
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000208	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1496 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000021c	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1848 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2816 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 844 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2684 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0	0

Installs a Browser Helper Object to thwart the users browsing experience (4 events)

bho_regkey	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\(Default)
bho_regkey	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\(Default)
bho_regkey	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer
bho_regkey	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer

Modifies security center warnings (12 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (2 events)

url	http://203.146.43.35/logo.gif
url	http://89.119.67.154/testo5/

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 112 events)

file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM5.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM63.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM35.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM85.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM72.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM67.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM29.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM56.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM24.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM87.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM17.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM88.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM92.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM77.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM21.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM3.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM54.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM65.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM9.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM50.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM57.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM33.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM4.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM20.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM45.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM106.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM95.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM93.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM83.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM48.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM64.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM103.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM60.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM89.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM34.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM14.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM53.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM16.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM25.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM79.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM105.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM44.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM59.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM102.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM80.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM68.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM99.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.log
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM71.tmp
file	C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM6.tmp

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2764 resumed a thread in remote process 3024
Process injection	Process 2764 resumed a thread in remote process 1976
Process injection	Process 2764 resumed a thread in remote process 2660
Process injection	Process 2764 resumed a thread in remote process 2384
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 3024	1	0	0
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 1976	1	0	0
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2660	1	0	0
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2384	1	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Disables Windows Security features (10 events)

description	attempts to disable user access control	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
description	disables user access control notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify
description	attempts to disable windows firewall	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
description	attempts to disable firewall exceptions	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

Executed a process and injected code into it, probably while unpacking (35 events)

Time & API	Arguments	Status	Return
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x000001b8 suspend_count: 1 process_identifier: 1016	1	0
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000208	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x01e70000 process_identifier: 1284 process_handle: 0x00000208	1	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1496 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000021c	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x01cc0000 process_identifier: 1496 process_handle: 0x0000021c	1	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1848 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x02b20000 process_identifier: 1848 process_handle: 0x000001d8	1	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2816 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x00140000 process_identifier: 2816 process_handle: 0x000001d8	1	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x001a0000 process_identifier: 2120 process_handle: 0x000001d8	1	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 844 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x002e0000 process_identifier: 844 process_handle: 0x00000258	1	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 2684 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001d8	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x00510000 process_identifier: 2684 process_handle: 0x000001d8	1	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x04680000 process_identifier: 1016 process_handle: 0x0000029c	1	1
NtAllocateVirtualMemory March 9, 2021, 11:05 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0
WriteProcessMemory March 9, 2021, 11:05 a.m.	buffer: base_address: 0x04690000 process_identifier: 1016 process_handle: 0x0000029c	1	1
CreateProcessInternalW March 9, 2021, 11:05 a.m.	thread_identifier: 808 thread_handle: 0x000001d8 process_identifier: 2764 current_directory: C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp\" filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000029c	1	1
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2764	1	0
CreateProcessInternalW March 9, 2021, 11:05 a.m.	thread_identifier: 2240 thread_handle: 0x00000314 process_identifier: 3024 current_directory: C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll" filepath_r: C:\Windows\System32\regsvr32.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000031c	1	1
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 3024	1	0
CreateProcessInternalW March 9, 2021, 11:05 a.m.	thread_identifier: 556 thread_handle: 0x000002c4 process_identifier: 1976 current_directory: C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll" filepath_r: C:\Windows\System32\regsvr32.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000031c	1	1
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 1976	1	0
CreateProcessInternalW March 9, 2021, 11:05 a.m.	thread_identifier: 1188 thread_handle: 0x000002d4 process_identifier: 2660 current_directory: C:\Users\test22\AppData\Local\Temp\IDM_Setup_Temp filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll" filepath_r: C:\Windows\System32\regsvr32.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000314	1	1
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2660	1	0
CreateProcessInternalW March 9, 2021, 11:05 a.m.	thread_identifier: 1772 thread_handle: 0x000002c4 process_identifier: 2384 current_directory: C:\Program Files (x86)\Internet Download Manager filepath: C:\Program Files (x86)\Internet Download Manager\idmBroker.exe track: 1 command_line: "C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer filepath_r: C:\Program Files (x86)\Internet Download Manager\idmBroker.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000032c	1	1
NtResumeThread March 9, 2021, 11:05 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2384	1	0
CreateProcessInternalW March 9, 2021, 11:05 a.m.	thread_identifier: 1788 thread_handle: 0x00000170 process_identifier: 1408 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000001e8	1	1
CreateProcessInternalW March 9, 2021, 11:06 a.m.	thread_identifier: 2692 thread_handle: 0x00000124 process_identifier: 2832 current_directory: filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll" filepath_r: C:\Windows\system32\regsvr32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW March 9, 2021, 11:06 a.m.	thread_identifier: 2076 thread_handle: 0x00000124 process_identifier: 1224 current_directory: filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll" filepath_r: C:\Windows\system32\regsvr32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW March 9, 2021, 11:06 a.m.	thread_identifier: 2728 thread_handle: 0x00000124 process_identifier: 1884 current_directory: filepath: C:\Windows\System32\regsvr32.exe track: 1 command_line: /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll" filepath_r: C:\Windows\system32\regsvr32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000128	1	1
NtResumeThread March 9, 2021, 11:06 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1408	1	0
NtResumeThread March 9, 2021, 11:06 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1408	1	0

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.Sality.PE
Elastic	malicious (high confidence)
MicroWorld-eScan	Win32.Sality.3
FireEye	Generic.mg.14ad7cf3de11bae5
CAT-QuickHeal	W32.Sality.U
Malwarebytes	Malware.Heuristic.1001
VIPRE	Virus.Win32.Sality.at (v)
Sangfor	Virus_Suspicious.Win32.Sality.bh
K7AntiVirus	Virus ( f10001071 )
Alibaba	Virus:Win32/Sality.66849c1c
K7GW	Virus ( f10001071 )
CrowdStrike	win/malicious_confidence_100% (D)
Baidu	Win32.Virus.Sality.gen
Cyren	W32/Sality.gen2
Symantec	W32.Sality.AE
TotalDefense	Win32/Sality.AA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Virus.Win32.Sality.gen
BitDefender	Win32.Sality.3
NANO-Antivirus	Virus.Win32.Sality.beygb
ViRobot	Win32.Sality.Gen.A
Avast	Win32:SaliCode [Inf]
Rising	Virus.Sality!1.A5BD (CLASSIC)
Ad-Aware	Win32.Sality.3
Emsisoft	Win32.Sality.3 (B)
Comodo	Virus.Win32.Sality.gen@1egj5j
F-Secure	Malware.W32/Sality.AT
DrWeb	Win32.Sector.30
Zillya	Virus.Sality.Win32.25
TrendMicro	PE_SALITY.RL
McAfee-GW-Edition	W32/Sality.gen.z
Sophos	Mal/Generic-R + Mal/Sality-D
SentinelOne	Static AI - Suspicious PE
Jiangmin	Win32/HLLP.Kuku.poly2
Avira	W32/Sality.AT
MAX	malware (ai score=100)
Antiy-AVL	Virus/Win32.Sality.gen
Arcabit	Win32.Sality.3
AegisLab	Virus.Win32.Sality.v!c
ZoneAlarm	Virus.Win32.Sality.gen
GData	Win32.Sality.3
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Kashu.E
Acronis	suspicious
McAfee	W32/Sality.gen.z
TACHYON	Virus/W32.Sality.D
VBA32	Virus.Win32.Sality.bakc
ESET-NOD32	Win32/Sality.NBA
TrendMicro-HouseCall	PE_SALITY.RL

idman623build12_ws1032687615.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All