Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 8, 2021, 1:11 p.m.	Nov. 8, 2021, 1:13 p.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`70af2782a658f04e84341f18e09207ae`
SHA256	`0b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98`
CRC32	`88A49735`
ssdeep	`24576:/b1znt1E171toVuGFeOkxiCgFTAdBZXWCWCjqHs9NnnIz4:TRntWFOjeTxTgF87Z7WCjes9tR`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

6703_1636277141_5925.exe "C:\Users\test22\AppData\Local\Temp\6703_1636277141_5925.exe"
2344
- 123.exe "C:\Users\test22\AppData\Local\Temp\123.exe"
  2640
  - AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    2772
  - AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    2780
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force
    1948
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force
    2800
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force
    2600
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force
    3028
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force
    3040
  - deforcing.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe"
    2020
    - AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      1488
    - AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2660
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force
      1604
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force
      2400
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force
      2292
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force
      776
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force
      2528
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force
      644
    - aspnet_regsql.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
      2152
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force
    2328
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force
    2596
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force
    1060
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force
    2832
  - aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    2468
- OlecranonsCasein.exe "C:\Users\test22\AppData\Local\Temp\OlecranonsCasein.exe"
  2764

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
62.113.112.212	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 112 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2021, 1:11 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (27 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 8, 2021, 1:03 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:03 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0
IsDebuggerPresent Nov. 8, 2021, 1:11 p.m.			0	0

Command line console output was observed (50 out of 135 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\123. console_handle: 0x00000053	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\123. console_handle: 0x00000053	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\123. console_handle: 0x00000053	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso console_handle: 0x00000053	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: ft\Windows\Start Menu\Programs\Startup\deforcing.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\Microso console_handle: 0x00000053	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: ft\Windows\Start Menu\Programs\Startup\deforcing.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 8, 2021, 1:11 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\123. console_handle: 0x00000053	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 732 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f69a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f69a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f69a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f69a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f6a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f6a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f69e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f69e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a96a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a93e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a93e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a93e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a93e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a93e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a93e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9c68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a9ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2021, 1:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aa0e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 8, 2021, 1:03 p.m.		1	1	0

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ Nov. 8, 2021, 1:11 p.m.	stacktrace: 0x6a5d46 0x6a479a 0x6a4129 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d mscorlib+0x2cb060 @ 0x7229b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d36ad @ 0x722a36ad mscorlib+0x308f2d @ 0x722d8f2d microsoft+0x50c17 @ 0x6ee30c17 microsoft+0x3f33f @ 0x6ee1f33f microsoft+0x3edf8 @ 0x6ee1edf8 microsoft+0x3e3b9 @ 0x6ee1e3b9 microsoft+0x17e980 @ 0x6ef5e980 0x6a3163 0x6a14fd 0x6a0226 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 39 09 e8 11 53 ba 71 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6a5dcc registers.esp: 2091196 registers.edi: 2091236 registers.eax: 0 registers.ebp: 2091248 registers.edx: 37556776 registers.ebx: 2092068 registers.esi: 37732736 registers.ecx: 0	1
__exception__ Nov. 8, 2021, 1:11 p.m.	stacktrace: 0x6a5d58 0x6a479a 0x6a4129 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d mscorlib+0x2cb060 @ 0x7229b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d36ad @ 0x722a36ad mscorlib+0x308f2d @ 0x722d8f2d microsoft+0x50c17 @ 0x6ee30c17 microsoft+0x3f33f @ 0x6ee1f33f microsoft+0x3edf8 @ 0x6ee1edf8 microsoft+0x3e3b9 @ 0x6ee1e3b9 microsoft+0x17e980 @ 0x6ef5e980 0x6a3163 0x6a14fd 0x6a0226 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 39 09 e8 11 53 ba 71 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6a5dcc registers.esp: 2091196 registers.edi: 2091236 registers.eax: 0 registers.ebp: 2091248 registers.edx: 37732836 registers.ebx: 2092068 registers.esi: 37732736 registers.ecx: 0	1
__exception__ Nov. 8, 2021, 1:11 p.m.	stacktrace: 0x805d46 0x80479a 0x804129 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d mscorlib+0x2cb060 @ 0x7229b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d36ad @ 0x722a36ad mscorlib+0x308f2d @ 0x722d8f2d microsoft+0x50c17 @ 0x6ee30c17 microsoft+0x3f33f @ 0x6ee1f33f microsoft+0x3edf8 @ 0x6ee1edf8 microsoft+0x3e3b9 @ 0x6ee1e3b9 microsoft+0x17e980 @ 0x6ef5e980 0x803163 0x8014fd 0x800226 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 39 09 e8 11 53 a4 71 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x805dcc registers.esp: 1631532 registers.edi: 1631572 registers.eax: 0 registers.ebp: 1631584 registers.edx: 34542120 registers.ebx: 1632404 registers.esi: 34716616 registers.ecx: 0	1
__exception__ Nov. 8, 2021, 1:11 p.m.	stacktrace: 0x805d58 0x80479a 0x804129 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d mscorlib+0x2cb060 @ 0x7229b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d36ad @ 0x722a36ad mscorlib+0x308f2d @ 0x722d8f2d microsoft+0x50c17 @ 0x6ee30c17 microsoft+0x3f33f @ 0x6ee1f33f microsoft+0x3edf8 @ 0x6ee1edf8 microsoft+0x3e3b9 @ 0x6ee1e3b9 microsoft+0x17e980 @ 0x6ef5e980 0x803163 0x8014fd 0x800226 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 39 09 e8 11 53 a4 71 c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x805dcc registers.esp: 1631532 registers.edi: 1631572 registers.eax: 0 registers.ebp: 1631584 registers.edx: 34716716 registers.ebx: 1632404 registers.esi: 34716616 registers.ecx: 0	1
__exception__ Nov. 8, 2021, 1:11 p.m.	stacktrace: 0x6c55aa 0x6c5525 0x6c145c 0x6c11b0 0x6c0056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c5639 registers.esp: 1438120 registers.edi: 38896664 registers.eax: 0 registers.ebp: 1438144 registers.edx: 7496208 registers.ebx: 37757956 registers.esi: 38896844 registers.ecx: 0	1
__exception__ Nov. 8, 2021, 1:12 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73af1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x739c2ba1 mscorlib+0x36dd1b @ 0x7233dd1b mscorlib+0x32fea6 @ 0x722ffea6 mscorlib+0x30ab40 @ 0x722dab40 0x6ca289 0x6cec70 0x6ce7fb 0x6ce238 0x6c5ad9 0x6c14c6 0x6c11b0 0x6c0056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 1437612 registers.edi: 0 registers.eax: 1437612 registers.ebp: 1437692 registers.edx: 0 registers.ebx: 7471696 registers.esi: 7496208 registers.ecx: 4051252378	1
__exception__ Nov. 8, 2021, 1:12 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73af1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x739c2ba1 mscorlib+0x316bc8 @ 0x722e6bc8 mscorlib+0x32fddf @ 0x722ffddf mscorlib+0x30ab1e @ 0x722dab1e 0x6ca289 0x6cec70 0x6ce7fb 0x6ce238 0x6c5ad9 0x6c14c6 0x6c11b0 0x6c0056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 1437668 registers.edi: 0 registers.eax: 1437668 registers.ebp: 1437748 registers.edx: 0 registers.ebx: 7471696 registers.esi: 7496208 registers.ecx: 4051252386	1
__exception__ Nov. 8, 2021, 1:12 p.m.	stacktrace: 0x7120a2 0x71201d 0x71145c 0x7111b0 0x710056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73a074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73a07610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a91dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a91e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a91f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a9416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73fef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x712131 registers.esp: 3534040 registers.edi: 37621228 registers.eax: 0 registers.ebp: 3534064 registers.edx: 5005768 registers.ebx: 36512756 registers.esi: 37621408 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2335 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef325b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002340000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bc4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9341a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9342c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:03 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:04 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9341b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:04 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:04 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9342a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:04 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9343b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\test.bat
file	C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\123.exe
file	C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\test.bat
file	C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\test.bat
file	C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\OlecranonsCasein.exe
file	C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\test.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\123.exe
file	C:\Users\test22\AppData\Local\Temp\OlecranonsCasein.exe
file	C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\OlecranonsCasein.exe
file	C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\123.exe

A process created a hidden window (19 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\AdvancedRun.exe	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\AdvancedRun.exe	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2021, 1:11 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force filepath: powershell	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 66 events)

Time & API	Arguments	Status	Return
Process32FirstW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: System process_identifier: 4	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: csrss.exe process_identifier: 312	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: wininit.exe process_identifier: 340	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: winlogon.exe process_identifier: 404	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: services.exe process_identifier: 440	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 576	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 720	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 844	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: audiodg.exe process_identifier: 924	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 348	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: spoolsv.exe process_identifier: 1064	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: taskhost.exe process_identifier: 1132	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 1332	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: svchost.exe process_identifier: 1728	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 1860	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: SearchIndexer.exe process_identifier: 1904	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: SearchProtocolHost.exe process_identifier: 744	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: SearchFilterHost.exe process_identifier: 1984	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: SearchProtocolHost.exe process_identifier: 1876	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 2084	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: taskhost.exe process_identifier: 2176	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: 6703_1636277141_5925.exe process_identifier: 2344	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: 123.exe process_identifier: 2640	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: cmd.exe process_identifier: 2712	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 2724	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 2748	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: OlecranonsCasein.exe process_identifier: 2764	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 2772	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 2780	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: TrustedInstaller.exe process_identifier: 2932	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 1948	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 2800	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 2864	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 1652	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 2600	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 3000	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 3028	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 2060	1	1
Process32NextW Nov. 8, 2021, 1:11 p.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 3040	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00134000', u'virtual_address': u'0x00002000', u'entropy': 7.716996148196171, u'name': u'.text', u'virtual_size': u'0x00133fe4'}

entropy

7.7169961482

description

A section with a high entropy has been found

entropy

0.998379254457

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (24 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2021, 1:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 102 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: 7-Zip base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: AddressBook base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: Adobe AIR base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: Connection Manager base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: EditPlus base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: Fontcore base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: Google Chrome base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: IE40 base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: IE4Data base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: IEData base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: WIC base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Nov. 8, 2021, 1:12 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000384 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess Nov. 8, 2021, 1:11 p.m.	status_code: 0xffffffff process_identifier: 2388 process_handle: 0x0000025c
NtTerminateProcess Nov. 8, 2021, 1:11 p.m.	status_code: 0xffffffff process_identifier: 2388 process_handle: 0x0000025c	1
NtTerminateProcess Nov. 8, 2021, 1:11 p.m.	status_code: 0xffffffff process_identifier: 2388 process_handle: 0x0000025c
NtTerminateProcess Nov. 8, 2021, 1:11 p.m.	status_code: 0xffffffff process_identifier: 2388 process_handle: 0x0000025c	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\5df72808-f7e9-414c-9780-53e050306c4c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\2ad87d7e-5e5e-4ada-9506-bd9e47fde881\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run

Communicates with host for which no DNS query was performed (1 event)

host

62.113.112.212

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2468 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000398	1	0
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2388 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c		3221225496
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2152 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	1	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\deforcing				reg_value	C:\Windows\Resources\Themes\appertaining\svchost.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\deforcing				reg_value	C:\Windows\Resources\Themes\appertaining\svchost.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\OlecranonsCasein.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2764 manipulating memory of non-child process 2388
NtUnmapViewOfSection Nov. 8, 2021, 1:11 p.m.	base_address: 0x00400000 region_size: 184320 process_identifier: 2388 process_handle: 0x0000025c	3221225497	0
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2388 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	3221225496	0

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELë2æà0 À@ ç´@ÈOÀÜÐà¬ H.text `.rsrcÜÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2468 process_handle: 0x00000398	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: P8hÜÀLL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0<InternalNameDiscussed.exe(LegalCopyright DOriginalFilenameDiscussed.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ìÂêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041c000 process_identifier: 2468 process_handle: 0x00000398	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: = base_address: 0x0041e000 process_identifier: 2468 process_handle: 0x00000398	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2468 process_handle: 0x00000398	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELë2æà0 À@ ç´@ÈOÀÜÐà¬ H.text `.rsrcÜÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2152 process_handle: 0x00000210	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: P8hÜÀLL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0<InternalNameDiscussed.exe(LegalCopyright DOriginalFilenameDiscussed.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ìÂêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041c000 process_identifier: 2152 process_handle: 0x00000210	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: = base_address: 0x0041e000 process_identifier: 2152 process_handle: 0x00000210	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2152 process_handle: 0x00000210	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELë2æà0 À@ ç´@ÈOÀÜÐà¬ H.text `.rsrcÜÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2468 process_handle: 0x00000398	1	1	0
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELë2æà0 À@ ç´@ÈOÀÜÐà¬ H.text `.rsrcÜÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2152 process_handle: 0x00000210	1	1	0

Collects information about installed applications (50 out of 76 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000388 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Nov. 8, 2021, 1:12 p.m.	key_handle: 0x00000218 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 called NtSetContextThread to modify thread in remote process 2468
Process injection	Process 2764 called NtSetContextThread to modify thread in remote process 2388
Process injection	Process 2020 called NtSetContextThread to modify thread in remote process 2152
NtSetContextThread Nov. 8, 2021, 1:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4295962 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a4 process_identifier: 2468	1	0	0
NtSetContextThread Nov. 8, 2021, 1:11 p.m.	registers.eip: 1999372740 registers.esp: 4390396 registers.edi: 0 registers.eax: 4296022 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 2388	1	0	0
NtSetContextThread Nov. 8, 2021, 1:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4295962 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000047c process_identifier: 2152	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 resumed a thread in remote process 2468
Process injection	Process 2764 resumed a thread in remote process 2388
Process injection	Process 2020 resumed a thread in remote process 2152
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2468	1	0	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000238 suspend_count: 0 process_identifier: 2388	1	0	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x0000047c suspend_count: 1 process_identifier: 2152	1	0	0

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet

Disables Windows Security features (5 events)

description	attempts to disable user access control	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

Executed a process and injected code into it, probably while unpacking (50 out of 177 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 8, 2021, 1:03 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2344	1	0
NtResumeThread Nov. 8, 2021, 1:03 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2344	1	0
NtResumeThread Nov. 8, 2021, 1:03 p.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 2344	1	0
CreateProcessInternalW Nov. 8, 2021, 1:04 p.m.	thread_identifier: 2644 thread_handle: 0x0000000000000390 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\123.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\123.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\123.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000398	1	1
CreateProcessInternalW Nov. 8, 2021, 1:04 p.m.	thread_identifier: 2768 thread_handle: 0x000000000000031c process_identifier: 2764 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\OlecranonsCasein.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\OlecranonsCasein.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\OlecranonsCasein.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000000000039c	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2776 thread_handle: 0x00000434 process_identifier: 2772 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath_r: C:\Users\test22\AppData\Local\Temp\96b5728a-2182-4ac6-9780-9a4835abb8a7\AdvancedRun.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000440	1	1
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2784 thread_handle: 0x0000043c process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath_r: C:\Users\test22\AppData\Local\Temp\e132ee2c-eb4f-4b88-a7bf-8f1f582dc6da\AdvancedRun.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000438	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 1116 thread_handle: 0x00000488 process_identifier: 1948 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004a8	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000488 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2792 thread_handle: 0x000004ac process_identifier: 2800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b0	1	1
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2628 thread_handle: 0x0000042c process_identifier: 2600 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b8	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000004a0 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 3016 thread_handle: 0x000004b8 process_identifier: 3028 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004cc	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000004c0 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2124 thread_handle: 0x000004cc process_identifier: 3040 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004e4	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000004d8 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2320 thread_handle: 0x000004e4 process_identifier: 2328 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004fc	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000004f0 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2508 thread_handle: 0x000004ec process_identifier: 2020 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000510	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000004e4 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2576 thread_handle: 0x0000050c process_identifier: 2596 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000052c	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000520 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 416 thread_handle: 0x0000052c process_identifier: 1060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000544	1	1
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000538 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2604 thread_handle: 0x00000544 process_identifier: 2832 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000055c	1	1
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2244 thread_handle: 0x00000550 process_identifier: 2904 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000448	1	1
NtGetContextThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x00000550		3221225485
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2464 thread_handle: 0x000004b4 process_identifier: 2928 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000458	1	1
NtGetContextThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000004b4		3221225485
CreateProcessInternalW Nov. 8, 2021, 1:11 p.m.	thread_identifier: 2132 thread_handle: 0x000003a4 process_identifier: 2468 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000398	1	1
NtGetContextThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000003a4	1	0
NtAllocateVirtualMemory Nov. 8, 2021, 1:11 p.m.	process_identifier: 2468 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000398	1	0
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELë2æà0 À@ ç´@ÈOÀÜÐà¬ H.text `.rsrcÜÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2468 process_handle: 0x00000398	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: base_address: 0x00402000 process_identifier: 2468 process_handle: 0x00000398	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: P8hÜÀLL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0<InternalNameDiscussed.exe(LegalCopyright DOriginalFilenameDiscussed.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ìÂêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041c000 process_identifier: 2468 process_handle: 0x00000398	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: = base_address: 0x0041e000 process_identifier: 2468 process_handle: 0x00000398	1	1
WriteProcessMemory Nov. 8, 2021, 1:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2468 process_handle: 0x00000398	1	1
NtSetContextThread Nov. 8, 2021, 1:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4295962 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a4 process_identifier: 2468	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2468	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2764	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2764	1	0
NtResumeThread Nov. 8, 2021, 1:11 p.m.	thread_handle: 0x000001d0 suspend_count: 1 process_identifier: 2764	1	0

6703_1636277141_5925.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All