Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2024, 2:22 p.m.	Oct. 16, 2024, 2:26 p.m.

Size	292.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`254dd83941729a0ee8f38777fc77889c`
SHA256	`11ae325f101e921cee280a88d8d8b394236f1199817c55953865740354c7a1fc`
CRC32	`3EF9B71B`
ssdeep	`6144:zPgcl4RxzJyKCFGZtfEfPHqGAU3qRHeTWvk2ajdU8FQlM5YZ:024RJJyHGzfE3HVAITTf2ajbFn5`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2544
- powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'svchost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'svchost' -Value '"C:\Users\test22\AppData\Roaming\svchost.exe"' -PropertyType 'String'
  2740

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
109.176.30.246	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 109.176.30.246:56002	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49165 -> 109.176.30.246:56002	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 109.176.30.246:56002	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49165 -> 109.176.30.246:56002	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 109.176.30.246:56002	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 109.176.30.246:56002	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 109.176.30.246:56002 -> 192.168.56.101:49164	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 109.176.30.246:56002 -> 192.168.56.101:49164	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 109.176.30.246:56002 -> 192.168.56.101:49164	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected
TCP 109.176.30.246:56002 -> 192.168.56.101:49165	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 109.176.30.246:56002 -> 192.168.56.101:49165	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 109.176.30.246:56002 -> 192.168.56.101:49165	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49165 109.176.30.246:56002	CN=Hfoqppvo	CN=Hfoqppvo	21:78:ba:55:44:74:2f:b6:df:5e:ca:2b:c8:5e:52:be:4d:90:f0:65
TLSv1 192.168.56.101:49164 109.176.30.246:56002	CN=Hfoqppvo	CN=Hfoqppvo	21:78:ba:55:44:74:2f:b6:df:5e:ca:2b:c8:5e:52:be:4d:90:f0:65

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:22 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2024, 2:22 p.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 2:22 p.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 2:22 p.m.			0	0

Command line console output was observed (19 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: Remove-ItemProperty : Property svchost does not exist at path HKEY_CURRENT_USER console_handle: 0x00000023	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run. console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: At line:1 char:20 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: + Remove-ItemProperty <<<< -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVers console_handle: 0x00000047	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: ion\Run' -Name 'svchost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windo console_handle: 0x00000053	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: ws\CurrentVersion\Run' -Name 'svchost' -Value 'C:\Users\test22\AppData\Roaming\ console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: svchost.exe' -PropertyType 'String' console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: + CategoryInfo : InvalidArgument: (svchost:String) [Remove-ItemPr console_handle: 0x00000077	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: operty], PSArgumentException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: + FullyQualifiedErrorId : System.Management.Automation.PSArgumentException console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: ,Microsoft.PowerShell.Commands.RemoveItemPropertyCommand console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\M console_handle: 0x000000b7	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: icrosoft\Windows\CurrentVersion\Run console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\M console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: icrosoft\Windows\CurrentVersion console_handle: 0x000000c3	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: PSChildName : Run console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: PSDrive : HKCU console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: PSProvider : Microsoft.PowerShell.Core\Registry console_handle: 0x000000cf	1	1
WriteConsoleW Oct. 16, 2024, 2:22 p.m.	buffer: svchost : C:\Users\test22\AppData\Roaming\svchost.exe console_handle: 0x000000d3	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: f ¹çÕF- à<¨QÕ×rç=\|Ñ¥@Ã}Ð¢Ûw crypto_handle: 0x0058b110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d4598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d5218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d5218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d5218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d5218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d5218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d5218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d5218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d5218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2024, 2:22 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 340 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00743000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00746000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00747000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00748000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00749000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02371000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02231000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02372000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02373000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02374000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:22 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02375000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\svchost.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'svchost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'svchost' -Value '"C:\Users\test22\AppData\Roaming\svchost.exe"' -PropertyType 'String'

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\svchost.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 16, 2024, 2:22 p.m.	thread_identifier: 2744 thread_handle: 0x000002d4 process_identifier: 2740 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'svchost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'svchost' -Value '"C:\Users\test22\AppData\Roaming\svchost.exe"' -PropertyType 'String' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002d8	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00048600', u'virtual_address': u'0x00002000', u'entropy': 7.9962457507797655, u'name': u'.text', u'virtual_size': u'0x00048480'}

entropy

7.99624575078

description

A section with a high entropy has been found

entropy

0.993138936535

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 16, 2024, 2:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 16, 2024, 2:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

109.176.30.246

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 16, 2024, 2:22 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

svchost.exe tried to sleep 455603561 seconds, actually delayed analysis time by 455603561 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchost

reg_value

C:\Users\test22\AppData\Roaming\svchost.exe

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW Oct. 16, 2024, 2:22 p.m.	key_handle: 0x000002e4 regkey_r: 7cbac6bda238c28e3fe350088c92ebf1 reg_type: 3 (REG_BINARY) value: .°]P0øþ?ùOøqøòã¿þ?ûgXyIÝ²¯ÚM ÕîV¿9_ÙªO+êïãÍÖ ê¸30-_Zúé/ôæç¾zo»[óG¤@egÿc÷I´ÝV¾ð~\çñà[J®ËµÚKgãI__+X -_Íß3òÐ-ðáÔ Ï»·ÒF«Ü(À¤Ø$À$84¢MADàÿd ÝÅÄü0Ô¢ü¸tXîÁ¡çïI;ï[0_\|é'÷¾SÀ=ò 8ä CÕ àÖîX&Ïò$²Hû`@Ý×ÐÆî3&(¯sÈýu\× º]¤ÃþI° Ó±Æà±±&_À @û³}O¿À(p°þÜFGQwÎ¨àjÚMÔÎ 2£ ,ì]¸ü3°U¾³#Ýõ×ãplÀ_ð¿ò`Aõðàíj'³»£Nv³hnÎJfy?~wtÀM¿\|3¨dÎF"ª¼ñN¢QUYAçO5Ê»!óôfWê1@(zU Õ Á* :Ha g'ôà°®Í#8ù~UëÆË;à¹¶Ñ~N°qömÉt¹_Äÿ=ì_Ð¾ß ¥[ìô~«ªøYÓ_øÂ¢gLÉ¢Í¼#0Ç-y¨oÓ¸uuEÓÞz\|ÝNËzTØNXÍ°û7Jíftg}<1{î! ç ¾$>Î°'»^·Ô6Ô¸¾j5Ì5Ç{r³ëç¡oLNé-y\_~;ëÒ3°ÛgPÃ2×r¦ïäÊ,Ëú`ÓÔ¥ Ï$÷Lìùã}ªþ7ê Ø£ â¯/ÐÎr/}GjGªlß%HÄ×XûmÓ/(qýNÎÑxtU¢» âUëe^È}éðk`Ê÷´X×SØ¼;ê76Ù[quçx¦½õA±äµc8<\GV¿(põ??Ï?w°ýÐySËI¨7ÀUªnélÜ}Ò%Óâi2¬9Á±7¢¨êã%}Ôv°õ4«XñÿÇnÛèm`%Æ}+=ïô"s-Ä+frdòÄA ÉQÑX2~cªnöÓGÇ4ÙEça ÏÉÍÍ² ×dî:6XÑ%¾r)üY~ÇB¼Êá$Bç^S¢}5¡]Üöä ÈD2´òêÜîÂÍûûÜ«&ÑÇÀ°$¨E¥)7LØ´OKØìÆg/Æ)M¾áçUÛ½39jå¼ßz§[ÊÐ_<"ÑàW]ó·ËeýÓù\Ô_öGËÂTUáÎHC#á¸ ã¾\KòÍÊÃg2ÝDrøWjgF©¤+fÞÂñGpc `mÈÄ¼ÈiºèýV,ThShk¼îNçiVô!ÌsîØg½®¥óz2 gYÅªKzXõ5@ÊðÎ\|@o°/XOXÁ].gu.±ðr^TÔÈýf±ÁÐ?á?Ôxóò5È¿¦NÔ²±?èKÉÖ<~A=}V Ê)j #éJuêôûb>ºWcLö.ÈEó7´3ÙÏ9òÍ3rZ·:©úÖ{Ã-ãíf Å¦pÑõT9Ö1d÷Tã³ÜBáæT5üP¹\±fÒ¸rnRaÜZ\á7ä¼ÞÒ§© `Øx«î¡r-§°1Ï.ÂÝ+'÷=@)ur§b S+¯Âª¿ä¬äà9¸ï2;¥9§)K¬ö®mæ»MdÏ(ç¾¾ªÛò1Û²bê2}¸áKì×¥¦^ Å&¬ÛP°»ØÜ©KÌÁ}Ý¾ØëÀoZAÏ{.sZb+q>c0 ·8t¿Ï«\?å§ÆõâTÐõÞü}=k«mÈI½¡ëgåýKòMÜ\äa¶ù&Úåµï.=i4yÅT ¼ª5·%¸J·I=ýÁáÍ¹ù¸ûQ]í®a¼íK}jÝàóÖUËë%Ø#²MåÉh#òÂ?Øè_¶7'áÞÓjoÂ«4bè>ø= !eý6Ð:wà@"¶ÊmJÕ¡hs§«iÆ´eØXßX§%ÃJxMk(â³m\|HEbýòÉR¶ÕU¯:^¿;ÇzÈ¢p7,ÇÈz'2ÙíH\½osàRÔdoÞ.&7+©é ÖìáªëqpçéAXS(¥ä´akÙÈ®z.Ôiúo?Xùa:rä<¾û§§VýàUÆ÷¯»H ò?Óº2?{!_ó»7ã7cF(ÁÅQëôP7ô©eV\|SzºIT¼² ¶}ÙÖ ì½o¥Ñ!OÊ£¾KCÔú¯°R·BpÈ]kìs;Òõ[V]àÛM`þ1àQ¨vÙ^¤x+~h ôi+qü±TlaJ±ÙxêÞÇpLÁ6Ã Çýsmí"ª?]+Ît &8êµ1(y[ÃÅi^ÏÍ½7²a·h)ìI©3W¸u>sÛ{Ò¿QÄÆ®YëHX\|i?GÖTÀ9¢9v[ß²vwR³g¦ò;eGé}º_[ÂGô/jpÕÍ¸r-q è +ÝÕÄßÇû¦®ÎØ°¸RCa;ÑQÁ±DÍÍ[; }ôª¬Â(Ü½<øywçFÆã0Ð ëî29Û9ÊEÜø°µ6Nc(Ûyù(+j?µ¦×\Æ>¥§£yÝèìX\| )ÍÐB¤ÏæiêL·IÒÎESÁ2ÈÏ/_)5ÆÅÍâa\|iIô¸ÁW_D¤%\·øò"Þõøu ý h+¹ãwÖqLCó¬_òi½å%'bUÚÔ¢Ë×Ozu.Á%Rixjg892¤åJÆBkÈQ<ÃC))¡TÃWnò#âV¡vZhuÎ±ÚAâ§¶ÙH¯ï×äåFvE©xGÌæ¦ ðH¢i'¯!I¤Â168ÀOP':PsZq[uîJÇu-è¾ çHTVTËÍå{DØþÐfX`£ÊjÕE¹¾õ®âÚ`P{²¥Ìk1>ñ¨Ò°¢t:b°~íÊ^ÖFãQÒ¢æP1XUë?r± .<'w÷ÊÛ> Yî_t/ÉäÚWBg¹4(Ã'"y¢$ÛkW¯4ðclRmÎArå®Å×ÔjyÎ&ª9RÏE<¯°Ì4ÊÐ5 ×884M0n© Âº!J4T01'êêÇt<Þ¿Pñ÷©;¸µ`poíyªÖSöÝÌfýç2ÔàUË'âÇ"' !m[¥Q4µâóíús8à?îmâ6DöY3'_sÝßå=_xóõx_«ÌaJÂ·YS`ÑLËOg¹ª-¤Á2eÅÈ¬ÉïK÷4'pÔÇ¤Ýíe®ZUFÒ[{WiøI×ôwÃÑ=÷fuïéª}¼ëmÐà¸dNêjû<©l«2ímÑvÅóÔâcÁnw¡¼IáíÆªK×Î5ªTI¨lsË6Ôk9ì.»y;ÝodöÊæãyr¼ÁÑåg¾ï&«#¢'ûîüûþçÜçëûë®ûï¯å¾ºûzÞ©~µâ1Id!vk"ÙlöK$ì¨2È]´ï²Co²d5,YAÊc a !o²f]8ySíÈEßÎ°»co nå{/\|Ç{¼=û¯×µ÷Áãfúu°ÁØë2¾ñhù±ÉA·ÏÁØÓ m]ãxX@Vûê}«;ÉÁ¹ =W7df²ÈwµßüûWv»6µ«ÓBù7í!óÄSºÆuS1.N"áKÁ¸è^ÛS8ª%Ûkg8L×§Ø=Ïx83hè#Õ{ãNY;ùøël`\|x@i3Y -µp$kÞccÌÿA»Ì6{»IÃ42o¼©A¾äcÞÃzÍ@¦IfæEÅì,Ü?^~?GþW6ÀÎÍþVÎ¡{ðÄMô,ÐWüªÛ²´óÆzÒH±HÚB¶Ñ IgM+s¯Ã{vÑÊ-ÛüðìÀ·vÒ$ZV%N_ï-À¶áÕõð«/¹ü:Êu{øì}C¹(©ÞqKGJ¿ª:ëä.ÒzÝ·<P;ð³:åÒ?æÜ Fa>ì BÑz_¤7ÖöøÉÃÈ°Á`Dóúý&Ê9¯/jî[=Zù9Fùc÷Æ¶¦Ã&`J¼`Û \ó¿LUü¥ïWp_ÚÖìcÚQüJ¹åÐ ÇGe[%ªäîý¾ +xgãð~Æ%äAz5èñ:5®²ÄÊ/VedíÚLQePÝï{gõz7£Tö5ð9qm\| ÖÈF ÀkHRp/GZj{íT,F»}æ¬\|-Èr'\é9O0fÖB]»Õ=n,Mí~ë¨\É±ÿóçÕçÆfÄO_÷ã:hf6íÔúZ<Â³IBôéÐ[³u¥e£Q8 ZJMîkÜÇæ»0ó=«qcÂgûùG¡×ûÅQî`Ê±Ö~lõË½?.1yÖÚr)Uæ®5ß>Nñ²&[pAk?°ÜWÂ@eÙ¾c¤Z9±+¨ìx0ÛôFËÌ°$ì"Xô9uÏ\|¡éì¦ô\ÃFJM]*¹N@"5Û?Øp@¶ÏÒ@&f5bT?äµà5wÀðrÅóÌ¼hw#êÏDðÃ7â¦Ô6ìKÐfððñvRó¾ýÐz¼úÓçðÑ%òês0µGÐ¹º«äÿX7+f ì.ãÅh:eoÊÒ®6Ø°é½¡Í WÏ@ÞL-NËù¿õz!5<yÿpZYæ«¬x:¼i·4ÿ1Â regkey: HKEY_CURRENT_USER\Software\1FDE2DAF8E72D9C8F9D38AAACA325288\7cbac6bda238c28e3fe350088c92ebf1	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Crysan.m!c
tehtris	Generic.Malware
Skyhigh	BehavesLike.Win32.Generic.dc
ALYac	Gen:Variant.Lazy.577533
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.577533
Sangfor	Backdoor.Msil.Lazy.Vms3
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Lazy.577533
K7GW	Trojan ( 005b82991 )
K7AntiVirus	Trojan ( 005b82991 )
Arcabit	Trojan.Lazy.D8CFFD
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AMFY
APEX	Malicious
Avast	Win32:BackdoorX-gen [Trj]
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
Alibaba	Backdoor:MSIL/PureLogStealer.590fd798
NANO-Antivirus	Trojan.Win32.Kryptik.kquqex
MicroWorld-eScan	Gen:Variant.Lazy.577533
Rising	Malware.Obfus/MSIL@AI.92 (RDM.MSIL2:erkSk4ah+vxzNHYJuF9gQw)
Emsisoft	Gen:Variant.Lazy.577533 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.Siggen29.14627
Zillya	Trojan.Kryptik.Win32.4850139
TrendMicro	TROJ_GEN.R002C0DHC24
McAfeeD	Real Protect-LS!254DD8394172
CTX	exe.unknown.lazy
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.254dd83941729a0e
Google	Detected
Avira	TR/Dropper.Gen
Kingsoft	malware.kb.c.1000
Microsoft	Trojan:MSIL/PureLogStealer.RNAA!MTB
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	Gen:Variant.Lazy.577533
Varist	W32/MSIL_Kryptik.LKA.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5648812
McAfee	Artemis!254DD8394172
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Crypt.MSIL.Generic
Ikarus	Trojan.MSIL.Crypt
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DHC24
Tencent	Malware.Win32.Gencirc.141604e0

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All