Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2022, 9:36 a.m.	Dec. 14, 2022, 9:46 a.m.

Size	880.0KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`90932373f89d77524ca0f118695a73e0`
SHA256	`69caf1ef8dfd03c4c814e67f3cb74b0aecd91cfcfcccf0b388ab3d30a052556e`
CRC32	`D50474B8`
ssdeep	`12288:YcVpG8GaPNNc6zG9kXVYP6Pk9bXJ/ImHHH4VUBi3CMuFTH:YUpN/c6zG9klYP6UtI4n4S`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT anti_vm_detect - Possibly employs anti-virtualization techniques PE_Header_Zero - PE File Signature IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
1984
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2496
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
  2544
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmpD35.tmp.bat""
  2608
  - timeout.exe timeout 3
    2672
  - LUJXWGZIJO.exe "C:\ProgramData\41456\LUJXWGZIJO.exe"
    2756
    - powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2984
    - powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
      3020
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"
      2108
      - schtasks.exe schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"
        536

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:37 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 14, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 14, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 14, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 14, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 14, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 14, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 14, 2022, 9:37 a.m.			0	0
IsDebuggerPresent Dec. 14, 2022, 9:37 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Dec. 14, 2022, 9:36 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1	0
WriteConsoleW Dec. 14, 2022, 9:37 a.m.	buffer: SUCCESS: The scheduled task "LUJXWGZIJO" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 184 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000249460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2caee0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2caee0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2caee0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2caf50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2caf50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb260 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb260 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb260 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb260 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb1f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb1f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb1f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cba40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cba40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cbab0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cbab0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cbb20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cbb20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cbb20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b5f90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b5f90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b5c80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2b5c80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2f5cd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2f5cd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2f6130 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2f6130 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb7a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb7a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb7a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2cb7a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000035ffa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b12f950 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b12f950 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b12f950 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2022, 9:36 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 14, 2022, 9:37 a.m.	stacktrace: mscorlib+0xcf2c72 @ 0x7fef0542c72 0x7fe93673f81 mscorlib+0x4ef8a5 @ 0x7feefd3f8a5 mscorlib+0x4ef609 @ 0x7feefd3f609 mscorlib+0x4ef5c7 @ 0x7feefd3f5c7 mscorlib+0xd5159d @ 0x7fef05a159d CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bdf713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bdf242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef2bdf30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef2da6291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2c86d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2c86d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2c86c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2c86dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef2da6175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef2d166ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 44 88 04 01 48 8d 65 18 5b 5d c3 cc cc cc cc cc exception.instruction: mov byte ptr [rcx + rax], r8b exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0xcf2c72 exception.address: 0x7fef0542c72 registers.r14: 0 registers.r15: 0 registers.rcx: 1996259984 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 469498080 registers.r11: 514 registers.r8: 469493321 registers.r9: 469493456 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 14, 2022, 9:37 a.m.

stacktrace:

mscorlib+0xcf2c72 @ 0x7fef0542c72
0x7fe93673f81
mscorlib+0x4ef8a5 @ 0x7feefd3f8a5
mscorlib+0x4ef609 @ 0x7feefd3f609
mscorlib+0x4ef5c7 @ 0x7feefd3f5c7
mscorlib+0xd5159d @ 0x7fef05a159d
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bdf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bdf242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef2bdf30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef2da6291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2c86d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2c86d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2c86c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2c86dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef2da6175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef2d166ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 44 88 04 01 48 8d 65 18 5b 5d c3 cc cc cc cc cc
exception.instruction: mov byte ptr [rcx + rax], r8b
exception.exception_code: 0xc0000005
exception.symbol: mscorlib+0xcf2c72
exception.address: 0x7fef0542c72
registers.r14: 0
registers.r15: 0
registers.rcx: 1996259984
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 469498080
registers.r11: 514
registers.r8: 469493321
registers.r9: 469493456
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 878 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 925696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe940b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93efc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000340000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000340000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000342000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000003d2000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\tmpD35.tmp.bat
file	C:\ProgramData\41456\LUJXWGZIJO.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
cmdline	schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"
cmdline	cmd /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 14, 2022, 9:36 a.m.	thread_identifier: 2500 thread_handle: 0x0000000000000244 process_identifier: 2496 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000023c	1	1
CreateProcessInternalW Dec. 14, 2022, 9:36 a.m.	thread_identifier: 2548 thread_handle: 0x0000000000000244 process_identifier: 2544 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000024c	1	1
CreateProcessInternalW Dec. 14, 2022, 9:36 a.m.	thread_identifier: 2612 thread_handle: 0x0000000000000260 process_identifier: 2608 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\tmpD35.tmp.bat" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000264	1	1
CreateProcessInternalW Dec. 14, 2022, 9:37 a.m.	thread_identifier: 2988 thread_handle: 0x0000000000000248 process_identifier: 2984 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000240	1	1
CreateProcessInternalW Dec. 14, 2022, 9:37 a.m.	thread_identifier: 3024 thread_handle: 0x0000000000000248 process_identifier: 3020 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000250	1	1
ShellExecuteExW Dec. 14, 2022, 9:37 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe" filepath: cmd	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Dec. 14, 2022, 9:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 14, 2022, 9:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 14, 2022, 9:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 14, 2022, 9:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 14, 2022, 9:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 14, 2022, 9:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"
cmdline	cmd /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"

Installs itself for autorun at Windows startup (3 events)

cmdline	schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"
cmdline	cmd /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LUJXWGZIJO" /tr "C:\ProgramData\41456\LUJXWGZIJO.exe"

Drops a binary and executes it (1 event)

file	C:\ProgramData\41456\LUJXWGZIJO.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2608 resumed a thread in remote process 2756
NtResumeThread Dec. 14, 2022, 9:36 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2756	1	0	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

tehtris	Generic.Malware
DrWeb	Trojan.InjectNET.14
MicroWorld-eScan	Gen:Variant.Ser.MSILHeracles.798
FireEye	Generic.mg.90932373f89d7752
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	CoinMiner-FFG!90932373F89D
Cybereason	malicious.fd858c
Arcabit	Trojan.Ser.MSILHeracles.798
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/CoinMiner.BMT
APEX	Malicious
Kaspersky	HEUR:Trojan.MSIL.Inject.gen
BitDefender	Gen:Variant.Ser.MSILHeracles.798
Avast	Win64:Evo-gen [Trj]
Ad-Aware	Gen:Variant.Ser.MSILHeracles.798
Emsisoft	Gen:Variant.Ser.MSILHeracles.798 (B)
F-Secure	Heuristic.HEUR/AGEN.1231966
VIPRE	Gen:Variant.Ser.MSILHeracles.798
McAfee-GW-Edition	CoinMiner-FFG!90932373F89D
Sophos	Mal/Miner-AX
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	HEUR/AGEN.1231966
MAX	malware (ai score=80)
Microsoft	Trojan:MSIL/CoinMiner.NC!MTB
GData	Gen:Variant.Ser.MSILHeracles.798
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C5199103
Acronis	suspicious
ALYac	Gen:Variant.Ser.MSILHeracles.798
Malwarebytes	Trojan.CoinMiner
Ikarus	Trojan.MSIL.CoinMiner
AVG	Win64:Evo-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (D)

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All