Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 28, 2023, 5:14 p.m.	Aug. 28, 2023, 5:16 p.m.

Size	381.5KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`ba84cb431da839bba1bf4dedb3e2ee8f`
SHA256	`cd3314bd837c138a281178784346756a37b84e95a32222e4dcd527be6a66e331`
CRC32	`845D9253`
ssdeep	`6144:0aPoIVYrV63Zmc1GrfSy4l0w4wN1o2Ef4ckkV5gZ0sK07yj31xrWuMotome1iu4U:0OHVWUZmVf6ylwN1nEnh5sNyjjidJbyc`
Yara	Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE64 - (no description)

ok.exe "C:\Users\test22\AppData\Local\Temp\ok.exe"
2544
- cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit
  2872
  - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"'
    2932
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp63E5.tmp.bat""
  2980
  - timeout.exe timeout 3
    3044
  - svchost.exe "C:\Users\test22\AppData\Roaming\svchost.exe"
    604
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\svchost.exe" -Force
      2496
    - Setup.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Setup.exe"
      2984

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 28, 2023, 5:06 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:06 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent Aug. 28, 2023, 5:08 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 28, 2023, 5:07 p.m.	buffer: SUCCESS: The scheduled task "svchost" has successfully been created. console_handle: 0x0000000000000007	1	1	0
WriteConsoleW Aug. 28, 2023, 5:07 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003c3ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596d80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596d80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596d80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596d80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b597330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b597330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b597330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b596ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5971e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5971e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5971e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5971e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5971e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5971e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5971e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5971e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043a760 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043a760 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043a760 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043a680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043a680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043ad80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043ad80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043a680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043a680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043a680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bfd50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bfd50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bfd50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bfd50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c0920 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c0920 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5cf870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5cf870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5cf9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5cf9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5cf9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5cf9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 28, 2023, 5:06 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 28, 2023, 5:15 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: add byte ptr [eax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x13430 registers.esp: 1834224 registers.edi: 0 registers.eax: 1968976824 registers.ebp: 1834232 registers.edx: 4273230 registers.ebx: 4294828032 registers.esi: 0 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 344 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9432c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94272000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:06 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\svchost.exe
file	C:\Users\test22\AppData\Local\Temp\tmp63E5.tmp.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (7 events)

cmdline	"C:\Users\test22\AppData\Roaming\svchost.exe"
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\svchost.exe" -Force
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit
cmdline	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 28, 2023, 5:07 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit filepath: cmd	1	1
CreateProcessInternalW Aug. 28, 2023, 5:07 p.m.	thread_identifier: 2984 thread_handle: 0x0000000000000318 process_identifier: 2980 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\tmp63E5.tmp.bat" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000410	1	1
ShellExecuteExW Aug. 28, 2023, 5:07 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\svchost.exe" -Force filepath: powershell	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005ec00', u'virtual_address': u'0x00002000', u'entropy': 7.996378315777659, u'name': u'.text', u'virtual_size': u'0x0005eb82'}

entropy

7.99637831578

description

A section with a high entropy has been found

entropy

0.994750656168

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 28, 2023, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (43 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 28, 2023, 5:07 p.m.	thread_identifier: 812 thread_handle: 0x000000000000006c process_identifier: 604 current_directory: filepath: C:\Users\test22\AppData\Roaming\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\svchost.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1	0
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 2832 thread_handle: 0x00000000000003f4 process_identifier: 2936 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000003f8	1	1	0

Terminates another process (20 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2288 process_handle: 0x0000000000000280
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2288 process_handle: 0x0000000000000280	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 1668 process_handle: 0x000000000000028c
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 1668 process_handle: 0x000000000000028c	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 1364 process_handle: 0x000000000000041c
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 1364 process_handle: 0x000000000000041c	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 916 process_handle: 0x00000000000002e0
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 916 process_handle: 0x00000000000002e0	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2904 process_handle: 0x0000000000000314
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2904 process_handle: 0x0000000000000314	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 3000 process_handle: 0x00000000000003f4
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 3000 process_handle: 0x00000000000003f4	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2936 process_handle: 0x00000000000003fc
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2936 process_handle: 0x00000000000003fc	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2916 process_handle: 0x0000000000000444
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2916 process_handle: 0x0000000000000444	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2600 process_handle: 0x0000000000000270
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 2600 process_handle: 0x0000000000000270	1
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 940 process_handle: 0x0000000000000264
NtTerminateProcess Aug. 28, 2023, 5:08 p.m.	status_code: 0xffffffff process_identifier: 940 process_handle: 0x0000000000000264	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: e6a27d9b970e8987902dea6529f738c45e5a5483
buffer	Buffer with sha1: b5b8bda6d8c8a6d41468f64dcd759a8d05bf7240

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 28, 2023, 5:08 p.m.	process_identifier: 916 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000310		-1073741800	0
NtAllocateVirtualMemory Aug. 28, 2023, 5:08 p.m.	process_identifier: 2984 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000268	1	0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects virtualization software with SCSI Disk Identifier trick(s) (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchost	reg_value	"C:\Users\test22\AppData\Roaming\svchost.exe"
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"'
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Aug. 28, 2023, 5:07 p.m.	service_start_name: start_type: 3 password: display_name: Zemana filepath: C:\Zemana.sys service_name: Zemana filepath_r: C:\Zemana.sys desired_access: 983551 service_handle: 0x000000001b256170 error_control: 0 service_type: 1 service_manager_handle: 0x000000001b2563b0	1	455434608	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\svchost.exe

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 604 manipulating memory of non-child process 916
NtAllocateVirtualMemory Aug. 28, 2023, 5:08 p.m.	process_identifier: 916 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000310		-1073741800	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2980 resumed a thread in remote process 604
Process injection	Process 604 resumed a thread in remote process 2984
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 604	1	0	0
NtResumeThread Aug. 28, 2023, 5:08 p.m.	thread_handle: 0x0000000000000264 suspend_count: 1 process_identifier: 2984	1	0	0

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\System32\drivers\VBoxMouse.sys

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions

Detects VMWare through the presence of various files (2 events)

file	C:\Windows\System32\drivers\vmmouse.sys
file	C:\Windows\System32\drivers\vmhgfs.sys

Detects VMWare through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Aug. 28, 2023, 5:07 p.m.	ordinal: 0 function_address: 0x00000000001dd0b0 function_name: wine_get_unix_file_name module: KERNEL32 module_address: 0x0000000076c10000		-1073741511	0
LdrGetProcedureAddress Aug. 28, 2023, 5:07 p.m.	ordinal: 0 function_address: 0x000000000021cfa0 function_name: wine_get_unix_file_name module: KERNEL32 module_address: 0x0000000076c10000		-1073741511	0

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetectMalware.64
FireEye	Generic.mg.ba84cb431da839bb
McAfee	Artemis!BA84CB431DA8
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.8d6044
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.GNGA
Kaspersky	HEUR:Trojan.MSIL.Fsysna.gen
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win64.Generic.fc
Trapmine	malicious.moderate.ml.score
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.MSIL.Fsysna.gen
Acronis	suspicious
Malwarebytes	Generic.Malware/Suspicious
TrendMicro-HouseCall	TROJ_GEN.R002H0DHS23
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.121218.susgen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (44 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 28, 2023, 5:06 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Aug. 28, 2023, 5:06 p.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Aug. 28, 2023, 5:06 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x0000000000000274 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000002fc suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW Aug. 28, 2023, 5:07 p.m.	thread_identifier: 2876 thread_handle: 0x0000000000000430 process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000438	1	1
CreateProcessInternalW Aug. 28, 2023, 5:07 p.m.	thread_identifier: 2984 thread_handle: 0x0000000000000318 process_identifier: 2980 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\tmp63E5.tmp.bat" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000410	1	1
CreateProcessInternalW Aug. 28, 2023, 5:07 p.m.	thread_identifier: 2936 thread_handle: 0x0000000000000060 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Roaming\svchost.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Aug. 28, 2023, 5:07 p.m.	thread_identifier: 3048 thread_handle: 0x0000000000000068 process_identifier: 3044 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 3 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW Aug. 28, 2023, 5:07 p.m.	thread_identifier: 812 thread_handle: 0x000000000000006c process_identifier: 604 current_directory: filepath: C:\Users\test22\AppData\Roaming\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\svchost.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 604	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x0000000000000184 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x0000000000000274 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000002fc suspend_count: 1 process_identifier: 604	1	0
NtGetContextThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000000d0	1	0
NtGetContextThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000000d0	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000000d0 suspend_count: 1 process_identifier: 604	1	0
NtGetContextThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000002fc	1	0
NtGetContextThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000002fc	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000002fc suspend_count: 1 process_identifier: 604	1	0
NtGetContextThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000000d0	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x00000000000000d0 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread Aug. 28, 2023, 5:07 p.m.	thread_handle: 0x000000000000028c suspend_count: 1 process_identifier: 604	1	0
CreateProcessInternalW Aug. 28, 2023, 5:07 p.m.	thread_identifier: 2632 thread_handle: 0x000000000000043c process_identifier: 2496 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000444	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 2308 thread_handle: 0x0000000000000440 process_identifier: 2288 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000288	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 1108 thread_handle: 0x0000000000000280 process_identifier: 1668 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000284	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 1320 thread_handle: 0x000000000000028c process_identifier: 1364 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000027c	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 2848 thread_handle: 0x000000000000041c process_identifier: 916 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000310	1	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:08 p.m.	process_identifier: 916 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000310		-1073741800
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 2900 thread_handle: 0x00000000000002e0 process_identifier: 2904 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000418	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 2996 thread_handle: 0x0000000000000314 process_identifier: 3000 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000030c	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 2832 thread_handle: 0x00000000000003f4 process_identifier: 2936 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000003f8	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 2908 thread_handle: 0x00000000000003fc process_identifier: 2916 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000003ec	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 2604 thread_handle: 0x0000000000000444 process_identifier: 2600 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000043c	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 1964 thread_handle: 0x0000000000000270 process_identifier: 940 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000026c	1	1
CreateProcessInternalW Aug. 28, 2023, 5:08 p.m.	thread_identifier: 3040 thread_handle: 0x0000000000000264 process_identifier: 2984 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Setup.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Setup.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000268	1	1
NtAllocateVirtualMemory Aug. 28, 2023, 5:08 p.m.	process_identifier: 2984 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000268	1	0
NtResumeThread Aug. 28, 2023, 5:08 p.m.	thread_handle: 0x0000000000000264 suspend_count: 1 process_identifier: 2984	1	0
NtResumeThread Aug. 28, 2023, 5:08 p.m.	thread_handle: 0x0000000000000284 suspend_count: 1 process_identifier: 2496	1	0
NtResumeThread Aug. 28, 2023, 5:08 p.m.	thread_handle: 0x00000000000002d8 suspend_count: 1 process_identifier: 2496	1	0
NtResumeThread Aug. 28, 2023, 5:08 p.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 2496	1	0
NtResumeThread Aug. 28, 2023, 5:08 p.m.	thread_handle: 0x00000000000003fc suspend_count: 1 process_identifier: 2496	1	0

ok.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All