Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 18, 2022, 10:31 a.m.	Jan. 18, 2022, 10:41 a.m.

Size	1.4MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`d07f491116eceea7ea138e02d19bd996`
SHA256	`618d2ada3227b0b007cf453d59d35be746f1647ece6a2c03d74d77f5f8639b72`
CRC32	`18B3B569`
ssdeep	`24576:VTeQ2EJL/6DyypmTSCd6iG1P9p1EFPMAnGJtevJBhRPQJ6aMe0JVBQJkybqcZM:8JEJ6DzpWFA1/1EFPZGJtmJBhRP4B0JP`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

new_etc.exe "C:\Users\test22\AppData\Local\Temp\new_etc.exe"
2300
- cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2432
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
    2488
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
    2424
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
    2312
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    2528
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\new_etc.exe"
  2580
  - svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\new_etc.exe"
    2668
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      2808
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        2868
    - services32.exe "C:\Windows\system32\services32.exe"
      2920
      - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        2244
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        2096
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        3000
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
        1972
      - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        2600
        
        svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        2372
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        3020
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        2672
        
        sihost32.exe "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        416
    - cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
      2996
      - choice.exe choice /C Y /N /D Y /T 3
        2176

Name	Response	Post-Analysis Lookup
sanctam.net
github.com	A 52.78.231.108	52.78.231.108

IP Address	Status	Action
164.124.101.2	Active	Moloch
52.78.231.108	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (45 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 18, 2022, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 18, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (17 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 18, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:31 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:32 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:33 a.m.			0	0
IsDebuggerPresent Jan. 18, 2022, 10:33 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 18, 2022, 10:31 a.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 18, 2022, 10:31 a.m.	buffer: Y console_handle: 0x0000000000000007	1	1
WriteConsoleW Jan. 18, 2022, 10:32 a.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 231 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000518360 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6e00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6e00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6e00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6c40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6c40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a67e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a67e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a67e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a67e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a7110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a7110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a7110 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000518050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000518050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000518050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2869f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2869f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2869f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2869f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2869f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2869f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2869f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2869f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b286c90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b286c90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b286c90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000518050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000518050 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a67e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a67e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d6510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d6510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d6510 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d6660 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d6660 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d66d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d66d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d73f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2d73f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2e2eb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2e2eb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b286c90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b286c90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b286c90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b286c90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002d6310 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002b3f890 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002b3f890 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 18, 2022, 10:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002b3f890 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 18, 2022, 10:31 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1226 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076de0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076df0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ea0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013fdf0000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000030f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002d50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b91000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef322b000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003170000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000032c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b92000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b94000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b94000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b94000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b94000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

Creates executable files on the filesystem (2 events)

file	C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
file	C:\Users\test22\AppData\Local\Temp\svchost32.exe

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (16 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
cmdline	C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
cmdline	cmd /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\new_etc.exe"
cmdline	"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
cmdline	cmd /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
cmdline	C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\new_etc.exe"
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
cmdline	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
cmdline	cmd /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
cmdline	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\new_etc.exe"
cmdline	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 18, 2022, 10:31 a.m.	thread_identifier: 2436 thread_handle: 0x000000000000025c process_identifier: 2432 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000278	1	1
ShellExecuteExW Jan. 18, 2022, 10:31 a.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\new_etc.exe" filepath: cmd	1	1
ShellExecuteExW Jan. 18, 2022, 10:31 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Jan. 18, 2022, 10:31 a.m.	show_type: 0 filepath_r: C:\Windows\system32\services32.exe parameters: filepath: C:\Windows\System32\services32.exe	1	1
ShellExecuteExW Jan. 18, 2022, 10:31 a.m.	show_type: 0 filepath_r: cmd parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe" filepath: cmd	1	1
CreateProcessInternalW Jan. 18, 2022, 10:31 a.m.	thread_identifier: 2256 thread_handle: 0x000000000000025c process_identifier: 2244 current_directory: C:\Windows\system32 filepath: track: 1 command_line: "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000278	1	1
ShellExecuteExW Jan. 18, 2022, 10:32 a.m.	show_type: 0 filepath_r: cmd parameters: /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe" filepath: cmd	1	1
ShellExecuteExW Jan. 18, 2022, 10:32 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Jan. 18, 2022, 10:32 a.m.	show_type: 0 filepath_r: C:\Windows\system32\Microsoft\Telemetry\sihost32.exe parameters: filepath: C:\Windows\System32\Microsoft\Telemetry\sihost32.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 18, 2022, 10:33 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00006c00', u'virtual_address': u'0x00002000', u'entropy': 7.993277318517643, u'name': u'', u'virtual_size': u'0x00008000'}

entropy

7.99327731852

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0003be00', u'virtual_address': u'0x0000e000', u'entropy': 7.999133086626656, u'name': u'', u'virtual_size': u'0x004ba000'}

entropy

7.99913308663

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0012b200', u'virtual_address': u'0x004c8000', u'entropy': 7.977406574920288, u'name': u'', u'virtual_size': u'0x0012c000'}

entropy

7.97740657492

description

A section with a high entropy has been found

entropy

0.998975759645

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Jan. 18, 2022, 10:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 18, 2022, 10:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 18, 2022, 10:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 18, 2022, 10:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 18, 2022, 10:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 18, 2022, 10:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 18, 2022, 10:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 18, 2022, 10:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
cmdline	cmd /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"

Installs itself for autorun at Windows startup (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\svchost32.exe
file	C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Lionic	Trojan.Win32.Tasker.4!c
FireEye	Generic.mg.d07f491116eceea7
ALYac	Trojan.Autoruns.GenericKDS.37729570
Cylance	Unsafe
Sangfor	Trojan.Win32.Tasker.arbd
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Malware:Win32/Dorpal.ali1000029
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.116ece
ESET-NOD32	a variant of Win64/Packed.Enigma.CA
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.Tasker.arbd
BitDefender	Trojan.Autoruns.GenericKDS.37729570
MicroWorld-eScan	Trojan.Autoruns.GenericKDS.37729570
Avast	Win64:Malware-gen
Tencent	Win32.Trojan.Tasker.Wozn
Ad-Aware	Trojan.Autoruns.GenericKDS.37729570
Emsisoft	Trojan.Autoruns.GenericKDS.37729570 (B)
TrendMicro	TROJ_GEN.R049C0WJC21
McAfee-GW-Edition	BehavesLike.Win64.Generic.tc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1144781
MAX	malware (ai score=86)
Microsoft	Trojan:Win32/Wacatac.B!ml
ViRobot	Trojan.Win32.Z.Tasker.1500672
GData	Trojan.Autoruns.GenericKDS.37729570
AhnLab-V3	Trojan/Win.Generic.C4712093
McAfee	Artemis!D07F491116EC
VBA32	Trojan.Tasker
Malwarebytes	Trojan.BitCoinMiner.Generic
TrendMicro-HouseCall	TROJ_GEN.R049C0WJC21
Rising	Trojan.Tasker!8.CA15 (CLOUD)
Yandex	Trojan.Tasker!BUiaw9q/So0
Ikarus	Trojan.Win32.CoinMiner
MaxSecure	Trojan.Malware.1728101.susgen
AVG	Win64:Malware-gen
Panda	Trj/CI.A

Stack pivoting was detected when using a critical API by the process services32.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 1 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00000000006e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Jan. 18, 2022, 10:31 a.m.	process_identifier: 2920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 1 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000002814000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

new_etc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All