Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 30, 2025, 7:14 p.m.	Jan. 30, 2025, 7:27 p.m.

Size	93.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ceabf00e91c6d219345af40a28da43e8`
SHA256	`a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f`
CRC32	`22DCE727`
ssdeep	`768:AY3XiBD7O/pBcxYsbae6GIXb9pDXQzVMBwXCmXxrjEtCdnl2pi1Rz4Rk3B6sGd0F:PipOx6baIa9RtytjEwzGi1dDRmKVgS`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

joiner.exe "C:\Users\test22\AppData\Local\Temp\joiner.exe"
2544
- server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
  2688
  - netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    2784
  - netsh.exe netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
    2916
  - netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    2952
  - svchost.exe "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe"
    3048
    - server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
      1264
      - netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        2236
      - netsh.exe netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
        2500
      - netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        2528
      - svchost.exe "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe"
        2700
        
        server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
        2876
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3028
        
        netsh.exe netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
        3036
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3012
        
        svchost.exe "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe"
        2124
        
        server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
        2408
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        2684
        
        netsh.exe netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
        2816
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        2372
        
        svchost.exe "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe"
        2368
        
        server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
        2076
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        1952
        
        netsh.exe netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
        3044
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        884
        
        svchost.exe "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe"
        1336
        
        server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
        2460
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        2888
        
        netsh.exe netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
        2280
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        2660
        
        svchost.exe "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe"
        1608
        
        server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
        2516
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        284
        
        netsh.exe netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
        2620
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        1080
        
        svchost.exe "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe"
        2744
        
        server.exe "C:\Users\test22\AppData\Local\Temp\server.exe"
        2164
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        1576
        
        netsh.exe netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
        2732
        
        netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        2860

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0
IsDebuggerPresent Jan. 30, 2025, 7:14 p.m.			0	0

Command line console output was observed (48 events)

Time & API	Arguments	Status	Return
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1
WriteConsoleA Jan. 30, 2025, 7:14 p.m.	buffer: Ok. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 30, 2025, 7:14 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 442 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00403000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00404000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2544 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2025, 7:14 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates an autorun.inf file (1 event)

file	C:\autorun.inf

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\server.exe

Creates hidden or system file (10 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\server.exe filepath: C:\Users\test22\AppData\Local\Temp\server.exe	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\autorun.inf filepath: C:\autorun.inf	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Umbrella.flv.exe filepath: C:\Umbrella.flv.exe	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\server.exe filepath: C:\Users\test22\AppData\Local\Temp\server.exe	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\server.exe filepath: C:\Users\test22\AppData\Local\Temp\server.exe	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\server.exe filepath: C:\Users\test22\AppData\Local\Temp\server.exe	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\server.exe filepath: C:\Users\test22\AppData\Local\Temp\server.exe	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\server.exe filepath: C:\Users\test22\AppData\Local\Temp\server.exe	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\server.exe filepath: C:\Users\test22\AppData\Local\Temp\server.exe	1	1
SetFileAttributesW Jan. 30, 2025, 7:14 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\server.exe filepath: C:\Users\test22\AppData\Local\Temp\server.exe	1	1

Creates a suspicious process (2 events)

cmdline	C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe
cmdline	"C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Jan. 30, 2025, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 30, 2025, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 30, 2025, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 30, 2025, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 30, 2025, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 30, 2025, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 30, 2025, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 30, 2025, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Created a process named as a common system process (14 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 30, 2025, 7:14 p.m.	thread_identifier: 3052 thread_handle: 0x00000510 process_identifier: 3048 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000047c	1	1
ShellExecuteExW Jan. 30, 2025, 7:14 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe	1	1
CreateProcessInternalW Jan. 30, 2025, 7:14 p.m.	thread_identifier: 2720 thread_handle: 0x000004f4 process_identifier: 2700 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000464	1	1
ShellExecuteExW Jan. 30, 2025, 7:14 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe	1	1
CreateProcessInternalW Jan. 30, 2025, 7:14 p.m.	thread_identifier: 2112 thread_handle: 0x00000514 process_identifier: 2124 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000051c	1	1
ShellExecuteExW Jan. 30, 2025, 7:14 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe	1	1
CreateProcessInternalW Jan. 30, 2025, 7:14 p.m.	thread_identifier: 1608 thread_handle: 0x000004fc process_identifier: 2368 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000508	1	1
ShellExecuteExW Jan. 30, 2025, 7:14 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe	1	1
CreateProcessInternalW Jan. 30, 2025, 7:14 p.m.	thread_identifier: 2440 thread_handle: 0x000004fc process_identifier: 1336 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000508	1	1
ShellExecuteExW Jan. 30, 2025, 7:14 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe	1	1
CreateProcessInternalW Jan. 30, 2025, 7:14 p.m.	thread_identifier: 2848 thread_handle: 0x00000500 process_identifier: 1608 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000510	1	1
ShellExecuteExW Jan. 30, 2025, 7:14 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe	1	1
CreateProcessInternalW Jan. 30, 2025, 7:14 p.m.	thread_identifier: 2904 thread_handle: 0x00000508 process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000510	1	1
ShellExecuteExW Jan. 30, 2025, 7:14 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\svchost.exe	1	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	netsh firewall delete allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe"
cmdline	netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 30, 2025, 7:14 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

server.exe tried to sleep 21825351 seconds, actually delayed analysis time by 21825351 seconds

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\server.exe

Disables Windows' Task Manager (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.Common.C1DBF6DC
Lionic	Trojan.Win32.Bladabindi.4!c
MicroWorld-eScan	Gen:Heur.MSIL.Krypt.3
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Skyhigh	BehavesLike.Win32.Trojan.nm
Cylance	Unsafe
VIPRE	Gen:Heur.MSIL.Krypt.3
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Heur.MSIL.Krypt.3
K7GW	EmailWorm ( 00555f371 )
K7AntiVirus	EmailWorm ( 00555f371 )
Arcabit	Trojan.MSIL.Krypt.3
VirIT	Trojan.Win32.MulDrop7.DOQR
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Njrat
ESET-NOD32	a variant of MSIL/Autorun.Spy.Agent.R
APEX	Malicious
Avast	Win32:KeyloggerX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:MSIL/Bladabindi.eec838a9
NANO-Antivirus	Trojan.Win32.TrjGen.dkmeat
Rising	Backdoor.njRAT!1.A096 (CLASSIC)
Emsisoft	Gen:Heur.MSIL.Krypt.3 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.MulDrop7.62625
Zillya	Worm.AutoRun.Win32.361720
McAfeeD	Real Protect-LS!CEABF00E91C6
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.ceabf00e91c6d219
Sophos	Mal/ILAgent-E
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Dropper.Gen
Kingsoft	Win32.Trojan.Generic.a
Microsoft	Backdoor:MSIL/Bladabindi!atmn
ViRobot	Trojan.Win.Z.Agent.95232.MF
GData	MSIL.Backdoor.Agent.AXJ
Varist	W32/Trojan.BVX.gen!Eldorado
AhnLab-V3	Trojan/Win32.Bladabindi.R295982
McAfee	Trojan-FUTJ!CEABF00E91C6
TACHYON	Backdoor/W32.DN-NjRat.95232.C
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.Bladabindi.Heur
Malwarebytes	AutoRun.Spyware.Stealer.DDS
Ikarus	Trojan.Inject
Panda	Trj/GdSda.A
Zoner	Trojan.Win32.87452
TrendMicro-HouseCall	Backdoor.MSIL.BLADABINDI.SMJJ
Tencent	Worm.Msil.Agent.zo

joiner.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All