Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 17, 2023, 4:36 p.m.	Oct. 17, 2023, 4:39 p.m.

Size	695.1KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7ba214f8174004943d83942dda0f9731`
SHA256	`0cff69c9468dfe7337570c12c44510f162de14e08c0cee8f5d8f699e3013bb40`
CRC32	`FF5B02D1`
ssdeep	`12288:NNK/wV8oSStivGrmU6KQUGUrLmUWBJb+Ayy4nBkAexc5XyaPY3wOpchdlgapFzGX:zK/a7tAUIoBqyhnPYgOpidlpVG55dN`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) OS_Processor_Check_Zero - OS Processor Check

Ermnnolfu.exe "C:\Users\test22\AppData\Local\Temp\Ermnnolfu.exe"
1000
- vlcdownloader.exe "C:\Users\test22\AppData\Local\Temp\vlcdownloader.exe"
  2084
cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\test22\AppData\Roaming\svhost.exe"' & exit
2872
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\test22\AppData\Roaming\svhost.exe"'
  2936
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp2D99.tmp.bat""
2984
- timeout.exe timeout 3
  3056
- svhost.exe "C:\Users\test22\AppData\Roaming\svhost.exe"
  2220

Name	Response	Post-Analysis Lookup
www.pubgh4cks.com	CNAME pubgh4cks.com A 190.123.45.218	190.123.45.218
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 104.76.70.102	104.76.70.102

IP Address	Status	Action
104.76.70.102	Active	Moloch
164.124.101.2	Active	Moloch
190.123.45.218	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 190.123.45.218:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49165 190.123.45.218:443	C=US, O=Let's Encrypt, CN=R3	CN=www.pubgh4cks.com	31:81:bf:af:8d:48:d4:f4:ff:86:6e:33:60:04:67:69:8e:99:2a:22

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Oct. 17, 2023, 4:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 4:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 4:38 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 17, 2023, 4:36 p.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 4:36 p.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 4:36 p.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 4:36 p.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 4:36 p.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 4:36 p.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 4:38 p.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 4:38 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 17, 2023, 4:38 p.m.	buffer: SUCCESS: The scheduled task "svhost" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2023, 4:38 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: Microsoft (R) .NET Framework Installation utility Version 4.0.30319.17929 Copyright (C) Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: Usage: InstallUtil [/u \| /uninstall] [option [...]] assembly [[option [...]] assembly] [...]] InstallUtil executes the installers in each given assembly. If the /u or /uninstall switch is specified, it uninstalls the assemblies, otherwise it installs console_handle: 0x00000007	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: them. Unlike other options, /u applies to all assemblies, regardless of where it appears on the command line. Installation is done in a transactioned way: If one of the assemblies fails to install, the installations of all other assemblies are rolle console_handle: 0x00000007	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: d back. Uninstall is not transactioned. Options take the form /switch=[value]. Any option that occurs before the name of an assembly will apply to that assembly's installation. Options are cumulative but overridable - options specified for one assemb console_handle: 0x00000007	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: ly will apply to the next as well unless the option is specified with a new value. The default for all options is empty or false unless otherwise specified. Options recognized: Options for installing any assembly: /AssemblyName The assembly para console_handle: 0x00000007	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: meter will be interpreted as an assembly name (Name, Locale, PublicKeyToken, Version). The default is to interpret the assembly parameter as the filename of the assembly on disk. /LogFile=[filename] File to write progress to. If empty, do not writ console_handle: 0x00000007	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: e log. Default is <assemblyname>.InstallLog /LogToConsole={true\|false} If false, suppresses output to the console. /ShowCallStack If an exception occurs at any point during installation, the call stack will be printed to the log. /InstallS console_handle: 0x00000007	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: tateDir=[directoryname] Directory in which the .InstallState file will be stored. Default is the directory of the assembly. Individual installers used within an assembly may recognize other options. To learn about these options, run InstallUtil w console_handle: 0x00000007	1	1
WriteConsoleA Oct. 17, 2023, 4:38 p.m.	buffer: ith the paths of the assemblies on the command line along with the /? or /help option. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 17, 2023, 4:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eb738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 4:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eb738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 4:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006eb7f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 17, 2023, 4:36 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://x1.i.lencr.org/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 93 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01db5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01db7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01da6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01daa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01da7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0213f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02121000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02122000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02123000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02124000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02125000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02126000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02127000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02128000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02129000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0212a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0212b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0212c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0212d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\vlcdownloader.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.vbs

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\test22\AppData\Roaming\svhost.exe"'

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\vlcdownloader.exe
file	C:\Users\test22\AppData\Roaming\svhost.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\svhost.exe
file	C:\Users\test22\AppData\Local\Temp\vlcdownloader.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 17, 2023, 4:36 p.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a5a00', u'virtual_address': u'0x00002000', u'entropy': 7.174557616934068, u'name': u'.text', u'virtual_size': u'0x000a5844'}

entropy

7.17455761693

description

A section with a high entropy has been found

entropy

0.981481481481

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 17, 2023, 4:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (42 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 17, 2023, 4:36 p.m.	status_code: 0xffffffff process_identifier: 2136 process_handle: 0x00000248		0	0
NtTerminateProcess Oct. 17, 2023, 4:36 p.m.	status_code: 0xffffffff process_identifier: 2136 process_handle: 0x00000248	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\test22\AppData\Roaming\svhost.exe"'

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 2136 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250		3221225496	0
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 2180 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 17, 2023, 4:36 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

vlcdownloader.exe tried to sleep 2728163 seconds, actually delayed analysis time by 2728163 seconds

Installs itself for autorun at Windows startup (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.vbs
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\test22\AppData\Roaming\svhost.exe"'

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1000 manipulating memory of non-child process 2136
Process injection	Process 1000 manipulating memory of non-child process 2180
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 2136 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250		3221225496	0
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 2180 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1000 injected into non-child 2180
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔäcà\| @ à@PK ø À H.text¤{ \| `.rsrcø ~@@.relocÀ@B base_address: 0x00400000 process_identifier: 2180 process_handle: 0x0000024c	1	1	0
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: 8Ph Ôt£ Ô4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription,FileVersion6.0.1<InternalNameClientAny.exe&LegalCopyrightLegalTrademarksDOriginalFilenameClientAny.exe"ProductName0ProductVersion6.0.18Assembly Version6.0.1.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <assemblyIdentity version="1.0.7.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of the Windows versions that this application has been tested on and is designed to work with. Uncomment the appropriate elements and Windows will automatically select the most compatible environment. --> <!-- Windows Vista --> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />--> <!-- Windows 7 --> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />--> <!-- Windows 8 --> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />--> <!-- Windows 8.1 --> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />--> <!-- Windows 10 --> <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />--> </application> </compatibility> <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. --> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="" /> </dependentAssembly> </dependency> --> </assembly> base_address: 0x0043a000 process_identifier: 2180 process_handle: 0x0000024c	1	1	0
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: ; base_address: 0x0043c000 process_identifier: 2180 process_handle: 0x0000024c	1	1	0
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2180 process_handle: 0x0000024c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1000 injected into non-child 2180
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔäcà\| @ à@PK ø À H.text¤{ \| `.rsrcø ~@@.relocÀ@B base_address: 0x00400000 process_identifier: 2180 process_handle: 0x0000024c	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1000 called NtSetContextThread to modify thread in remote process 2180
NtSetContextThread Oct. 17, 2023, 4:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4430750 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2180	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1000 resumed a thread in remote process 2180
Process injection	Process 2984 resumed a thread in remote process 2220
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2180	1	0	0
NtResumeThread Oct. 17, 2023, 4:38 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2220	1	0	0

Executed a process and injected code into it, probably while unpacking (34 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1000	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1000	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1000	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 1000	1	0
CreateProcessInternalW Oct. 17, 2023, 4:36 p.m.	thread_identifier: 2088 thread_handle: 0x000003c8 process_identifier: 2084 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\vlcdownloader.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vlcdownloader.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\vlcdownloader.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW Oct. 17, 2023, 4:36 p.m.	thread_identifier: 2140 thread_handle: 0x00000254 process_identifier: 2136 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000250	1	1
NtGetContextThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000254	1	0
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 2136 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000250		3221225496
CreateProcessInternalW Oct. 17, 2023, 4:36 p.m.	thread_identifier: 2184 thread_handle: 0x00000248 process_identifier: 2180 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtGetContextThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory Oct. 17, 2023, 4:36 p.m.	process_identifier: 2180 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÔäcà\| @ à@PK ø À H.text¤{ \| `.rsrcø ~@@.relocÀ@B base_address: 0x00400000 process_identifier: 2180 process_handle: 0x0000024c	1	1
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: base_address: 0x00402000 process_identifier: 2180 process_handle: 0x0000024c	1	1
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: 8Ph Ôt£ Ô4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription,FileVersion6.0.1<InternalNameClientAny.exe&LegalCopyrightLegalTrademarksDOriginalFilenameClientAny.exe"ProductName0ProductVersion6.0.18Assembly Version6.0.1.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <assemblyIdentity version="1.0.7.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of the Windows versions that this application has been tested on and is designed to work with. Uncomment the appropriate elements and Windows will automatically select the most compatible environment. --> <!-- Windows Vista --> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />--> <!-- Windows 7 --> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />--> <!-- Windows 8 --> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />--> <!-- Windows 8.1 --> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />--> <!-- Windows 10 --> <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />--> </application> </compatibility> <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. --> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="" /> </dependentAssembly> </dependency> --> </assembly> base_address: 0x0043a000 process_identifier: 2180 process_handle: 0x0000024c	1	1
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: ; base_address: 0x0043c000 process_identifier: 2180 process_handle: 0x0000024c	1	1
WriteProcessMemory Oct. 17, 2023, 4:36 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2180 process_handle: 0x0000024c	1	1
NtSetContextThread Oct. 17, 2023, 4:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4430750 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2180	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2180	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread Oct. 17, 2023, 4:36 p.m.	thread_handle: 0x00000640 suspend_count: 1 process_identifier: 2084	1	0
CreateProcessInternalW Oct. 17, 2023, 4:38 p.m.	thread_identifier: 2940 thread_handle: 0x00000084 process_identifier: 2936 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\test22\AppData\Roaming\svhost.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Oct. 17, 2023, 4:38 p.m.	thread_identifier: 3060 thread_handle: 0x00000084 process_identifier: 3056 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 3 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Oct. 17, 2023, 4:38 p.m.	thread_identifier: 2240 thread_handle: 0x00000088 process_identifier: 2220 current_directory: filepath: C:\Users\test22\AppData\Roaming\svhost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\svhost.exe" filepath_r: C:\Users\test22\AppData\Roaming\svhost.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread Oct. 17, 2023, 4:38 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2220	1	0
NtResumeThread Oct. 17, 2023, 4:38 p.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2220	1	0
NtResumeThread Oct. 17, 2023, 4:38 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2220	1	0
NtResumeThread Oct. 17, 2023, 4:38 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 2220	1	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.Common.0E3B5752
Lionic	Trojan.Win32.Generic.4!c
MicroWorld-eScan	Gen:Variant.Ser.MSILHeracles.2956
FireEye	Generic.mg.7ba214f817400494
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Ser.MSILHeracles.2956
Malwarebytes	Malware.AI.4059186307
VIPRE	Gen:Variant.Ser.MSILHeracles.2956
K7AntiVirus	Trojan ( 005abac01 )
Alibaba	TrojanDownloader:MSIL/Seraph.43b91b92
K7GW	Trojan ( 005abac01 )
Cybereason	malicious.a22288
Arcabit	Trojan.Ser.MSILHeracles.DB8C
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AJEE
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Variant.Ser.MSILHeracles.2956
Avast	Win32:InjectorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13f227ac
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.Nekark.lvnrx
DrWeb	Trojan.InjectNET.63
Emsisoft	Gen:Variant.Ser.MSILHeracles.2956 (B)
Ikarus	Trojan-Spy.Agent
Varist	W32/ABRisk.PHNS-8004
Avira	TR/AD.Nekark.lvnrx
Antiy-AVL	Trojan/MSIL.Injector
Kingsoft	malware.kb.c.966
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Gen:Variant.Ser.MSILHeracles.2956
Google	Detected
BitDefenderTheta	Gen:NN.ZemsilCO.36738.Rm2@a8kLlgf
MAX	malware (ai score=86)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CJD23
Rising	Malware.Obfus/MSIL@AI.96 (RDM.MSIL2:YgWeZx0KXYeuDrZDTkEpjQ)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AJWN!tr
AVG	Win32:InjectorX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Ermnnolfu.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All