Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 5, 2021, 10:10 a.m.	May 5, 2021, 10:23 a.m.

Size	25.2KB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`a3ba3e470d3da87be8632657a33869c6`
SHA256	`48e608cc0205f921ad888c1357007a4d0ea6ca0936cf167cc1a78fbe8ef31bc8`
CRC32	`23B36C0D`
ssdeep	`768:5vkEJEHLWzOpBOzHylhYBBoobXiC663Q+2Y:yzrpBODbB+u/MQ`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

Windows_Update.exe "C:\Users\test22\AppData\Local\Temp\Windows_Update.exe"
1016
- Dllhost.exe "C:\ProgramData\Dllhost.exe"
  1396
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\test22\AppData\Local\Temp/Server.exe
    2092

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
20.52.178.148	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 5, 2021, 10:04 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 5, 2021, 10:22 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 5, 2021, 10:10 a.m.			0	0
IsDebuggerPresent May 5, 2021, 10:03 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 5, 2021, 10:22 a.m.	buffer: SUCCESS: The scheduled task "Server" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 5, 2021, 10:10 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 118 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef15a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef159e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00122000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0003c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00171000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00172000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff001b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00173000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:10 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:11 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00176000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:11 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0003a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 5, 2021, 10:11 a.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0004f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

Dllhost.exe tried to sleep 229 seconds, actually delayed analysis time by 229 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\Server.exe
file	C:\ProgramData\Dllhost.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW May 5, 2021, 10:04 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost.exe filepath: C:\ProgramData\Dllhost.exe	1	1	0

Creates a suspicious process (1 event)

cmdline

schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\test22\AppData\Local\Temp/Server.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 5, 2021, 10:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\test22\AppData\Local\Temp/Server.exe

Communicates with host for which no DNS query was performed (1 event)

host

20.52.178.148

Installs itself for autorun at Windows startup (50 out of 171 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update	reg_value	"C:\ProgramData\Dllhost.exe" ..

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Server.exe

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Generic.Malware.SLcbg.2F2FF6CC
FireEye	Generic.mg.a3ba3e470d3da87b
ALYac	Generic.Malware.SLcbg.2F2FF6CC
Cylance	Unsafe
SUPERAntiSpyware	Trojan.Agent/Gen-Dropper
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 004b8b571 )
K7GW	Trojan ( 004b8b571 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34688.bmY@a88OLv
Cyren	W32/MSIL_Bladabindi.BO.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Bladabindi.BB
APEX	Malicious
Avast	FileRepMalware
ClamAV	Win.Malware.Bladabindi-7487253-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Generic.Malware.SLcbg.2F2FF6CC
Tencent	Malware.Win32.Gencirc.10b36a47
Ad-Aware	Generic.Malware.SLcbg.2F2FF6CC
Emsisoft	Generic.Malware.SLcbg.2F2FF6CC (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.mc
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Agent
eGambit	Unsafe.AI_Score_73%
Avira	TR/Dropper.Gen
Gridinsoft	Backdoor.Win32.Bladabindi.vl!ni
Microsoft	Backdoor:MSIL/Bladabindi.BT!bit
GData	MSIL.Trojan.PSE.KMOFOJ
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Agent.C195594
Acronis	suspicious
McAfee	Artemis!A3BA3E470D3D
MAX	malware (ai score=82)
VBA32	TrojanDropper.Dapato
Malwarebytes	Bladabindi.Backdoor.Njrat.DDS
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Bladabindi.BO!tr
AVG	FileRepMalware

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (24 events)

dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49203
dead_host	192.168.56.101:49224
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49216
dead_host	20.52.178.148:555
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49220
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49204
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49221
dead_host	192.168.56.101:49210
dead_host	192.168.56.101:49205
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49214

Windows_Update.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All