Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 2, 2021, 10:59 a.m.	Nov. 2, 2021, 11:01 a.m.

Size	1.8KB
Type	ASCII text, with CRLF line terminators
MD5	`5754e7195a41fe5b5d32d7ca3764c049`
SHA256	`0f8cd35d61b0291b86318702957d433c04d2c840c70648ef68a3ad62cdcee5d5`
CRC32	`386E3B6F`
ssdeep	`48:8Ao/mwhEwPLHcvzWvgWvovTbv/vLUvmvUiYvCIv5IvLHukcAzc:8Ao/mwhEwPLHyaUMA4`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\pad.vbs
2796
- wscript.exe "C:\Windows\SysWOW64\wscript.exe" "C:\Users\test22\AppData\Local\Temp\pad.vbs" /elevate
  2880
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
    3028
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
    2076
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    2148
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    2020
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    316
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    2336
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    2460
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    2568
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    2776
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    2940
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    2236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 66 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 10:59 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 10:59 a.m.			0	0

Command line console output was observed (50 out of 88 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + Set-MpPreference <<<< -DisableRealtimeMonitoring $true console_handle: 0x00000053	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + Set-MpPreference <<<< -DisableBehaviorMonitoring $true console_handle: 0x00000053	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + Set-MpPreference <<<< -DisableBlockAtFirstSeen $true console_handle: 0x00000053	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + Set-MpPreference <<<< -DisableIOAVProtection $true console_handle: 0x00000053	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + Set-MpPreference <<<< -DisableScriptScanning $true console_handle: 0x00000053	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + Set-MpPreference <<<< -SubmitSamplesConsent 2 console_handle: 0x00000053	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 2, 2021, 10:59 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 506 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00304fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00560620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00560ba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00560ba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00560ba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2021, 10:59 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1508 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72292000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02747000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02734000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02736000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02738000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 10:59 a.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (22 events)

cmdline	powershell Set-MpPreference -ModerateThreatDefaultAction 6
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
cmdline	powershell Set-MpPreference -SubmitSamplesConsent 2
cmdline	powershell Set-MpPreference -DisableBehaviorMonitoring $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
cmdline	powershell Set-MpPreference -DisableRealtimeMonitoring $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
cmdline	powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
cmdline	powershell Set-MpPreference -DisableBlockAtFirstSeen $true
cmdline	powershell Set-MpPreference -LowThreatDefaultAction 6
cmdline	powershell Set-MpPreference -DisableScriptScanning $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
cmdline	powershell Set-MpPreference -SevereThreatDefaultAction 6
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
cmdline	powershell Set-MpPreference -DisableIOAVProtection $true
cmdline	powershell Set-MpPreference -MAPSReporting 0
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

A process created a hidden window (11 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableRealtimeMonitoring $true filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableBehaviorMonitoring $true filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableBlockAtFirstSeen $true filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableIOAVProtection $true filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -DisableScriptScanning $true filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -SubmitSamplesConsent 2 filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -MAPSReporting 0 filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -HighThreatDefaultAction 6 -Force filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -ModerateThreatDefaultAction 6 filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -LowThreatDefaultAction 6 filepath: powershell	1	1
ShellExecuteExW Nov. 2, 2021, 10:59 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -SevereThreatDefaultAction 6 filepath: powershell	1	1

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Lionic	Trojan.Script.Generic.4!c
Sangfor	Trojan.Generic-VBS.Save.e95c6ff2
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
McAfee-GW-Edition	BehavesLike.VBS.Backdoor.zp
ZoneAlarm	HEUR:Trojan.Script.Generic
Fortinet	VBS/Agent.917B!tr
AVG	Script:SNH-gen [Trj]

Checks for the Locally Unique Identifier on the system for a suspicious privilege (11 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

A potential heapspray has been detected. 102 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1637

name

heapspray

process

powershell.exe

total_mb

102

length

65536

protection

PAGE_READWRITE

One or more non-whitelisted processes were created (24 events)

parent_process	wscript.exe	martian_process	powershell Set-MpPreference -ModerateThreatDefaultAction 6
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -SubmitSamplesConsent 2
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableBehaviorMonitoring $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableRealtimeMonitoring $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableBlockAtFirstSeen $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -LowThreatDefaultAction 6
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableScriptScanning $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -SevereThreatDefaultAction 6
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -DisableIOAVProtection $true
parent_process	wscript.exe	martian_process	powershell Set-MpPreference -MAPSReporting 0
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
parent_process	wscript.exe	martian_process	"C:\Windows\SysWOW64\wscript.exe" "C:\Users\test22\AppData\Local\Temp\pad.vbs" /elevate
parent_process	wscript.exe	martian_process	C:\Windows\SysWOW64\wscript.exe "C:\Users\test22\AppData\Local\Temp\pad.vbs" /elevate

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2796 resumed a thread in remote process 2880
NtResumeThread Nov. 2, 2021, 10:59 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2880	1	0	0

Disables Windows Security features (4 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

pad.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All