Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 1, 2021, 8:05 a.m.	July 1, 2021, 8:12 a.m.

Size	161.7KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6fc65c14ff61433c356bfda77e0c6e41`
SHA256	`1feda728feb0187e19e099ddfcb542c608b3ec67149592520c1515bc6d3ada03`
CRC32	`1F128117`
ssdeep	`3072:RsH8hiUNcplOhMdWZhEVJaSHlmx/YDWDK88g888AhdrZMs25TAkqXeQTbC3PTWSB:RsH8hiUNcplOhMdWZhEVJaSHlmx/YDWc`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

ujunkwerex.exe "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe"
4656
- ujunkwerex.exe "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe"
  7204
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force
    6012
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
    3752
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
    6200
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force
    4672
  - tj85xg1cs.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe"
    2268
    - tj85xg1cs.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe"
      5572
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
        3352
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
        4828
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
        296
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
        7196
      - cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
        2576
        
        timeout.exe timeout 1
        1308
      - tj85xg1cs.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe"
        532
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
    8572
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force
    6596
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
    5992
  - cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
    7352
    - timeout.exe timeout 1
      5988
  - ujunkwerex.exe "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe"
    2488

Name	Response	Post-Analysis Lookup
kakosidobrosam.gq	A 172.67.180.37 A 104.21.67.197	104.21.67.197

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.180.37	Active	Moloch
79.134.225.87	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2025104	ET INFO DNS Query for Suspicious .gq Domain	Potentially Bad Traffic
TCP 192.168.56.102:49806 -> 172.67.180.37:443	2025108	ET INFO Suspicious Domain (*.gq) in TLS SNI	Potentially Bad Traffic
TCP 192.168.56.102:49806 -> 172.67.180.37:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49806 172.67.180.37:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a2:99:7f:61:26:e9:24:3e:96:d0:98:83:eb:e0:35:eb:07:a8:19:f8

Queries for the computername (50 out of 70 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 1, 2021, 8:06 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (23 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 1, 2021, 8:05 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:05 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:05 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:05 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:05 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:05 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0
IsDebuggerPresent July 1, 2021, 8:06 a.m.			0	0

Command line console output was observed (50 out of 103 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\ujun console_handle: 0x00000053	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: kwerex.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso console_handle: 0x00000053	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: ft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso console_handle: 0x00000053	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: ft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\ujun console_handle: 0x00000053	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: kwerex.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Windows\Resources\Themes\cbMadd8augI console_handle: 0x00000053	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: a6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 1, 2021, 8:06 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\ujun console_handle: 0x00000053	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 512 events)

Time & API	Arguments	Status	Return
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007406c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00740d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00740d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070bce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070bce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070bce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c5a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070c6a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070be28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070caa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070caa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070caa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070caa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070caa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070caa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070caa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0070caa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 1, 2021, 8:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a3ed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2021, 8:05 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ July 1, 2021, 8:06 a.m.	stacktrace: 0x4a0e26 0x4a04c9 0x4a0059 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6f529df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6f529e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6f529efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6f529fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6f58564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6f55be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6f55b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6f55b726 CreateAssemblyNameObject+0x2f451 GetMetaDataInternalInterface-0x901e clr+0x5c8ea @ 0x6f55c8ea DllGetClassObjectInternal+0x526a2 CorDllMainForThunk-0x39e59 clr+0x11771b @ 0x6f61771b CorDllMainForThunk+0x593 _CorExeMain-0x2647 clr+0x151b07 @ 0x6f651b07 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 4a a2 98 64 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a0e93 registers.esp: 3073460 registers.edi: 3073480 registers.eax: 0 registers.ebp: 3073492 registers.edx: 39981608 registers.ebx: 3073792 registers.esi: 39981608 registers.ecx: 0	1
__exception__ July 1, 2021, 8:06 a.m.	stacktrace: 0x4a0e38 0x4a04c9 0x4a0059 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6f529df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6f529e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6f529efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6f529fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6f58564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6f55be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6f55b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6f55b726 CreateAssemblyNameObject+0x2f451 GetMetaDataInternalInterface-0x901e clr+0x5c8ea @ 0x6f55c8ea DllGetClassObjectInternal+0x526a2 CorDllMainForThunk-0x39e59 clr+0x11771b @ 0x6f61771b CorDllMainForThunk+0x593 _CorExeMain-0x2647 clr+0x151b07 @ 0x6f651b07 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 4a a2 98 64 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4a0e93 registers.esp: 3073460 registers.edi: 3073480 registers.eax: 0 registers.ebp: 3073492 registers.edx: 40041936 registers.ebx: 3073792 registers.esi: 40041936 registers.ecx: 0	1
__exception__ July 1, 2021, 8:06 a.m.	stacktrace: 0x700e26 0x7004c9 0x700059 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6f529df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6f529e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6f529efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6f529fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6f58564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6f55be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6f55b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6f55b726 CreateAssemblyNameObject+0x2f451 GetMetaDataInternalInterface-0x901e clr+0x5c8ea @ 0x6f55c8ea DllGetClassObjectInternal+0x526a2 CorDllMainForThunk-0x39e59 clr+0x11771b @ 0x6f61771b CorDllMainForThunk+0x593 _CorExeMain-0x2647 clr+0x151b07 @ 0x6f651b07 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 4a a2 72 64 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x700e93 registers.esp: 2876564 registers.edi: 2876584 registers.eax: 0 registers.ebp: 2876596 registers.edx: 39260712 registers.ebx: 2876896 registers.esi: 39260712 registers.ecx: 0	1
__exception__ July 1, 2021, 8:06 a.m.	stacktrace: 0x700e38 0x7004c9 0x700059 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6f529df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6f529e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6f529efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6f529fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6f58564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6f55be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6f55b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6f55b726 CreateAssemblyNameObject+0x2f451 GetMetaDataInternalInterface-0x901e clr+0x5c8ea @ 0x6f55c8ea DllGetClassObjectInternal+0x526a2 CorDllMainForThunk-0x39e59 clr+0x11771b @ 0x6f61771b CorDllMainForThunk+0x593 _CorExeMain-0x2647 clr+0x151b07 @ 0x6f651b07 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 4a a2 72 64 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x700e93 registers.esp: 2876564 registers.edi: 2876584 registers.eax: 0 registers.ebp: 2876596 registers.edx: 39310892 registers.ebx: 2876896 registers.esi: 39310892 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE44F55B90FB18A2A4452FA478F7245A.html
request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1235E527CC34D56F5639DB569338CB90.html

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1810 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f502000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 7204 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 7204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (8 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
cmdline	cmd.exe /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force

A process created a hidden window (13 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 1, 2021, 8:05 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:05 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:05 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:05 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:05 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:05 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:06 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:06 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1
ShellExecuteExW July 1, 2021, 8:06 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:06 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:06 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:06 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW July 1, 2021, 8:06 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 1, 2021, 8:05 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 1, 2021, 8:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 1, 2021, 8:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 54 events)

description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Qemu_Description
description	(no description)	rule	Check_Qemu_DeviceMap
description	(no description)	rule	Check_VBox_Description
description	(no description)	rule	Check_VBox_DeviceMap
description	(no description)	rule	Check_VBox_Guest_Additions
description	(no description)	rule	Check_VBox_VideoDrivers
description	(no description)	rule	Check_VMWare_DeviceMap
description	(no description)	rule	Check_VmTools
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	rule	vmdetect_misc
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Qemu_Description
description	(no description)	rule	Check_Qemu_DeviceMap
description	(no description)	rule	Check_VBox_Description
description	(no description)	rule	Check_VBox_DeviceMap
description	(no description)	rule	Check_VBox_Guest_Additions
description	(no description)	rule	Check_VBox_VideoDrivers
description	(no description)	rule	Check_VMWare_DeviceMap
description	(no description)	rule	Check_VmTools

One or more of the buffers contains an embedded PE file (14 events)

buffer	Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3
buffer	Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer	Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer	Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer	Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer	Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer	Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer	Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer	Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer	Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	79.134.225.87

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	1
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 2488 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004e0	1
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 5572 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	1
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 532 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000430	1

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 1, 2021, 8:06 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

ujunkwerex.exe tried to sleep 5920114346 seconds, actually delayed analysis time by 5920114346 seconds

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\tj85xg1cs	reg_value	C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\tj85xg1cs	reg_value	C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host	reg_value	C:\Program Files (x86)\SMTP Host\smtphost.exe

Potential code injection by writing to the memory of another process (14 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELà8c¢à"PN ~m À @(m S H.textM N `.rsrc P @@.reloc T @B base_address: 0x10000000 process_identifier: 7204 process_handle: 0x00000210	1	1
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: 0HX ,,4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoh000004b0Comments"CompanyName>FileDescriptionRunPeBraba0FileVersion1.0.0.0>InternalNameRunPeBraba.dllHLegalCopyrightCopyright © 2020*LegalTrademarksFOriginalFilenameRunPeBraba.dll6ProductNameRunPeBraba4ProductVersion1.0.0.08Assembly Version1.0.0.0 base_address: 0x10098000 process_identifier: 7204 process_handle: 0x00000210	1	1
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: ` = base_address: 0x1009a000 process_identifier: 7204 process_handle: 0x00000210	1	1
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: base_address: 0xfffde008 process_identifier: 7204 process_handle: 0x00000210	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈdç @ 8çW Ha H.textÇ È `.relocÊ@B.rsrcHa bÌ@@ base_address: 0x00400000 process_identifier: 2488 process_handle: 0x000004e0	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2488 process_handle: 0x000004e0	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2488 process_handle: 0x000004e0	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELà8c¢à"PN ~m À @(m S H.textM N `.rsrc P @@.reloc T @B base_address: 0x10000000 process_identifier: 5572 process_handle: 0x00000204	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: 0HX ,,4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoh000004b0Comments"CompanyName>FileDescriptionRunPeBraba0FileVersion1.0.0.0>InternalNameRunPeBraba.dllHLegalCopyrightCopyright © 2020*LegalTrademarksFOriginalFilenameRunPeBraba.dll6ProductNameRunPeBraba4ProductVersion1.0.0.08Assembly Version1.0.0.0 base_address: 0x10098000 process_identifier: 5572 process_handle: 0x00000204	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: ` = base_address: 0x1009a000 process_identifier: 5572 process_handle: 0x00000204	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: base_address: 0xfffde008 process_identifier: 5572 process_handle: 0x00000204	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈdç @ 8çW Ha H.textÇ È `.relocÊ@B.rsrcHa bÌ@@ base_address: 0x00400000 process_identifier: 532 process_handle: 0x00000430	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 532 process_handle: 0x00000430	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 532 process_handle: 0x00000430	1	1

Code injection by writing an executable or DLL to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELà8c¢à"PN ~m À @(m S H.textM N `.rsrc P @@.reloc T @B base_address: 0x10000000 process_identifier: 7204 process_handle: 0x00000210	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈdç @ 8çW Ha H.textÇ È `.relocÊ@B.rsrcHa bÌ@@ base_address: 0x00400000 process_identifier: 2488 process_handle: 0x000004e0	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELà8c¢à"PN ~m À @(m S H.textM N `.rsrc P @@.reloc T @B base_address: 0x10000000 process_identifier: 5572 process_handle: 0x00000204	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈdç @ 8çW Ha H.textÇ È `.relocÊ@B.rsrcHa bÌ@@ base_address: 0x00400000 process_identifier: 532 process_handle: 0x00000430	1	1

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ser.MSILHeracles.45
FireEye	Gen:Variant.Ser.MSILHeracles.45
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Ser.Bulz.85
Cyren	W32/MSIL_Kryptik.CXK.gen!Eldorado
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.IFG
APEX	Malicious
BitDefender	Gen:Variant.Ser.MSILHeracles.45
Ad-Aware	Gen:Variant.Ser.Bulz.85
SentinelOne	Static AI - Suspicious PE
MAX	malware (ai score=89)
Microsoft	Program:Win32/Wacapew.C!ml
GData	Gen:Variant.Ser.Bulz.85
AhnLab-V3	Trojan/Win.Generic.C4538841
Ikarus	Trojan-Downloader.MSIL.Agent
Fortinet	MSIL/Agent.IFG!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilCO.34770.km1@aCfzbVii
Qihoo-360	HEUR/QVM03.0.469F.Malware.Gen

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4656 called NtSetContextThread to modify thread in remote process 7204
Process injection	Process 7204 called NtSetContextThread to modify thread in remote process 2488
Process injection	Process 2268 called NtSetContextThread to modify thread in remote process 5572
Process injection	Process 5572 called NtSetContextThread to modify thread in remote process 532
NtSetContextThread July 1, 2021, 8:05 a.m.	registers.eip: 2000355780 registers.esp: 3078620 registers.edi: 0 registers.eax: 269053310 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 7204	1	0	0
NtSetContextThread July 1, 2021, 8:06 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000004dc process_identifier: 2488	1	0	0
NtSetContextThread July 1, 2021, 8:06 a.m.	registers.eip: 2000355780 registers.esp: 2881720 registers.edi: 0 registers.eax: 269053310 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000200 process_identifier: 5572	1	0	0
NtSetContextThread July 1, 2021, 8:06 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000042c process_identifier: 532	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4656 resumed a thread in remote process 7204
Process injection	Process 7204 resumed a thread in remote process 2488
Process injection	Process 2268 resumed a thread in remote process 5572
Process injection	Process 5572 resumed a thread in remote process 532
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 7204	1	0	0
NtResumeThread July 1, 2021, 8:06 a.m.	thread_handle: 0x000004dc suspend_count: 1 process_identifier: 2488	1	0	0
NtResumeThread July 1, 2021, 8:06 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 5572	1	0	0
NtResumeThread July 1, 2021, 8:06 a.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 532	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\rstrui.exe

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Executed a process and injected code into it, probably while unpacking (50 out of 148 events)

Time & API	Arguments	Status	Return
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 4656	1	0
CreateProcessInternalW July 1, 2021, 8:05 a.m.	thread_identifier: 3500 thread_handle: 0x00000208 process_identifier: 7204 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000210	1	1
NtUnmapViewOfSection July 1, 2021, 8:05 a.m.	base_address: 0x10000000 region_size: 1729888256 process_identifier: 7204 process_handle: 0x00000210		3221225497
NtAllocateVirtualMemory July 1, 2021, 8:05 a.m.	process_identifier: 7204 region_size: 638976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	1	0
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELà8c¢à"PN ~m À @(m S H.textM N `.rsrc P @@.reloc T @B base_address: 0x10000000 process_identifier: 7204 process_handle: 0x00000210	1	1
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: base_address: 0x10002000 process_identifier: 7204 process_handle: 0x00000210	1	1
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: 0HX ,,4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoh000004b0Comments"CompanyName>FileDescriptionRunPeBraba0FileVersion1.0.0.0>InternalNameRunPeBraba.dllHLegalCopyrightCopyright © 2020*LegalTrademarksFOriginalFilenameRunPeBraba.dll6ProductNameRunPeBraba4ProductVersion1.0.0.08Assembly Version1.0.0.0 base_address: 0x10098000 process_identifier: 7204 process_handle: 0x00000210	1	1
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: ` = base_address: 0x1009a000 process_identifier: 7204 process_handle: 0x00000210	1	1
NtGetContextThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000208	1	0
WriteProcessMemory July 1, 2021, 8:05 a.m.	buffer: base_address: 0xfffde008 process_identifier: 7204 process_handle: 0x00000210	1	1
NtSetContextThread July 1, 2021, 8:05 a.m.	registers.eip: 2000355780 registers.esp: 3078620 registers.edi: 0 registers.eax: 269053310 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 7204	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 7204	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 7204	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 7204	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 7204	1	0
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:05 a.m.	thread_identifier: 8752 thread_handle: 0x00000374 process_identifier: 6012 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000037c	1	1
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:05 a.m.	thread_identifier: 2228 thread_handle: 0x0000037c process_identifier: 3752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000390	1	1
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:05 a.m.	thread_identifier: 3624 thread_handle: 0x00000398 process_identifier: 6200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ac	1	1
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:05 a.m.	thread_identifier: 6152 thread_handle: 0x000003ac process_identifier: 4672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:05 a.m.	thread_identifier: 9168 thread_handle: 0x00000414 process_identifier: 2268 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tj85xg1cs.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000438	1	1
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000420 suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:05 a.m.	thread_identifier: 5260 thread_handle: 0x00000414 process_identifier: 8572 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000454	1	1
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:05 a.m.	thread_identifier: 7316 thread_handle: 0x00000440 process_identifier: 6596 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000046c	1	1
NtResumeThread July 1, 2021, 8:05 a.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:06 a.m.	thread_identifier: 5860 thread_handle: 0x00000464 process_identifier: 5992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\cbMadd8augIa6FPb2b0WT9H3Ncddgaq6QZ2084\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
NtResumeThread July 1, 2021, 8:06 a.m.	thread_handle: 0x000004b0 suspend_count: 1 process_identifier: 7204	1	0
CreateProcessInternalW July 1, 2021, 8:06 a.m.	thread_identifier: 9060 thread_handle: 0x000004b8 process_identifier: 7352 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004d0	1	1
CreateProcessInternalW July 1, 2021, 8:06 a.m.	thread_identifier: 6368 thread_handle: 0x000004dc process_identifier: 2488 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ujunkwerex.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004e0	1	1
NtGetContextThread July 1, 2021, 8:06 a.m.	thread_handle: 0x000004dc	1	0
NtAllocateVirtualMemory July 1, 2021, 8:06 a.m.	process_identifier: 2488 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004e0	1	0
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTàÈdç @ 8çW Ha H.textÇ È `.relocÊ@B.rsrcHa bÌ@@ base_address: 0x00400000 process_identifier: 2488 process_handle: 0x000004e0	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: base_address: 0x00402000 process_identifier: 2488 process_handle: 0x000004e0	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: à7 base_address: 0x00420000 process_identifier: 2488 process_handle: 0x000004e0	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: base_address: 0x00422000 process_identifier: 2488 process_handle: 0x000004e0	1	1
WriteProcessMemory July 1, 2021, 8:06 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2488 process_handle: 0x000004e0	1	1
NtSetContextThread July 1, 2021, 8:06 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319122 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000004dc process_identifier: 2488	1	0
NtResumeThread July 1, 2021, 8:06 a.m.	thread_handle: 0x000004dc suspend_count: 1 process_identifier: 2488	1	0
NtResumeThread July 1, 2021, 8:06 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 6012	1	0
NtResumeThread July 1, 2021, 8:06 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 6012	1	0
NtResumeThread July 1, 2021, 8:06 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 6012	1	0

ujunkwerex.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All