Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 16, 2021, 6:01 p.m.	April 16, 2021, 6:05 p.m.

Size	283.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1f130569a8373dfae4f387d4757769cf`
SHA256	`ed5872028e073a00549aa0ffe151dc4d641eae83694c1fcc3dc545183c091d97`
CRC32	`D43AA142`
ssdeep	`6144:hR5DOD71cP9H5oRaZVhYEQhAtb05fyYNTPktoukKWueah:Zi3KfoRaP6EQStb0XJahX3`
PDB Path	C:\Users\Administrator\Desktop\KP\obj\Debug\Zamnako.pdb
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasDebugData - DebugData Check

file.txt "C:\Users\test22\AppData\Local\Temp\file.txt"
1756
- file.txt "C:\Users\test22\AppData\Local\Temp\file.txt"
  3028
  - WMIC.exe "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
    2716
  - WMIC.exe "wmic" os get caption /FORMAT:List
    2316
  - WMIC.exe "wmic" path win32_VideoController get caption /FORMAT:List
    1108
  - WMIC.exe "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
    2252
  - WMIC.exe "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
    900
  - WMIC.exe "wmic" path win32_PingStatus where address='vladisfoxlink.ru' get StatusCode /FORMAT:List
    2824
  - WMIC.exe "wmic" path win32_PingStatus where address='vladisfoxlink.ru' get ResponseTime /FORMAT:List
    2684
  - file.txt /scomma "C:\Users\test22\AppData\Local\Temp\1.log"
    2608

Name	Response	Post-Analysis Lookup
vladisfoxlink.ru	A 45.85.90.7	45.85.90.7

IP Address	Status	Action
131.153.76.130	Active	Moloch
164.124.101.2	Active	Moloch
45.85.90.7	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2029144	ET MALWARE DiamondFox HTTP Post CnC Checkin M3	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2022818	ET MALWARE Generic gate[.].php GET with minimal headers	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 45.85.90.7:80	2030802	ET HUNTING Suspicious GET To gate.php with no Referer	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49216 -> 45.85.90.7:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (33 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 16, 2021, 6:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2021, 6:03 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (9 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 16, 2021, 6:01 p.m.			0	0
IsDebuggerPresent April 16, 2021, 6:01 p.m.			0	0
IsDebuggerPresent April 16, 2021, 6:03 p.m.			0	0
IsDebuggerPresent April 16, 2021, 6:03 p.m.			0	0
IsDebuggerPresent April 16, 2021, 6:03 p.m.			0	0
IsDebuggerPresent April 16, 2021, 6:03 p.m.			0	0
IsDebuggerPresent April 16, 2021, 6:03 p.m.			0	0
IsDebuggerPresent April 16, 2021, 6:03 p.m.			0	0
IsDebuggerPresent April 16, 2021, 6:03 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\KP\obj\Debug\Zamnako.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 16, 2021, 6:01 p.m.		1	1	0

One or more processes crashed (50 out of 84 events)

Time & API	Arguments	Status
__exception__ April 16, 2021, 6:03 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3668068 registers.edi: 0 registers.eax: 1 registers.ebp: 3668316 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4983744	1
__exception__ April 16, 2021, 6:03 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3668108 registers.edi: 0 registers.eax: 1 registers.ebp: 3668356 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4983744	1
__exception__ April 16, 2021, 6:03 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3668012 registers.edi: 0 registers.eax: 1 registers.ebp: 3668260 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:03 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3668040 registers.edi: 0 registers.eax: 1 registers.ebp: 3668288 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:03 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3668040 registers.edi: 0 registers.eax: 1 registers.ebp: 3668288 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:03 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3668024 registers.edi: 0 registers.eax: 1 registers.ebp: 3668272 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:04 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:05 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:05 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1
__exception__ April 16, 2021, 6:05 p.m.	stacktrace: New_wininet_InternetSetOptionA@16+0x91 New_wininet_InternetSetStatusCallback@8-0x6a @ 0x73cca889 InternetSetOptionW+0xe0 InternetQueryOptionW-0x54 wininet+0x3536a @ 0x7514536a file+0x87cc @ 0x4087cc exception.instruction_r: 8b 1b 89 5d 98 c7 45 fc fe ff ff ff 85 c9 0f 85 exception.symbol: InternetOpenA+0x731 InternetCrackUrlA-0x2565 wininet+0x1dd19 exception.instruction: mov ebx, dword ptr [ebx] exception.module: WININET.dll exception.exception_code: 0xc0000005 exception.offset: 122137 exception.address: 0x7512dd19 registers.esp: 3667948 registers.edi: 0 registers.eax: 1 registers.ebp: 3668196 registers.edx: 0 registers.ebx: 1000 registers.esi: 2 registers.ecx: 4990856	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://vladisfoxlink.ru/support/enfr/gate.php
suspicious_features	POST method with no referer header				suspicious_request	POST http://vladisfoxlink.ru/support/enfr/gate.php?1df=01A01720988C

Performs some HTTP requests (6 events)

request	GET http://vladisfoxlink.ru/support/enfr/gate.php?ct=1
request	POST http://vladisfoxlink.ru/support/enfr/gate.php
request	POST http://vladisfoxlink.ru/support/enfr/gate.php?1df=01A01720988C
request	GET http://vladisfoxlink.ru/support/enfr/gate.php?pl=1
request	GET http://vladisfoxlink.ru/support/enfr/gate.php?gpp=1
request	GET http://vladisfoxlink.ru/support/enfr/gate.php?p=1

Sends data using the HTTP POST Method (2 events)

request	POST http://vladisfoxlink.ru/support/enfr/gate.php
request	POST http://vladisfoxlink.ru/support/enfr/gate.php?1df=01A01720988C

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

vladisfoxlink.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 72 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04350178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043501a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043501c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0438db4e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0438db42 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04350208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043645bc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043645dc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043645e4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043645e8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043645f0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043645f4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043645f8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043645fc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04364604 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04364608 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04364610 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04364614 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04364618 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04364620 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04364624 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 1756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW April 16, 2021, 6:03 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13727457280 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 16, 2021, 6:04 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 16, 2021, 6:04 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (40 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera\wand.dat
file	C:\Users\test22\AppData\Roaming\Opera\Opera7\profile\wand.dat
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data

Creates a suspicious process (7 events)

cmdline	"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
cmdline	"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
cmdline	"wmic" path win32_PingStatus where address='vladisfoxlink.ru' get StatusCode /FORMAT:List
cmdline	"wmic" os get caption /FORMAT:List
cmdline	"wmic" path win32_VideoController get caption /FORMAT:List
cmdline	"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
cmdline	"wmic" path win32_PingStatus where address='vladisfoxlink.ru' get ResponseTime /FORMAT:List

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW April 16, 2021, 6:03 p.m.	snapshot_handle: 0x000002a8 process_name: pw.exe process_identifier: 2360	1	1
Process32NextW April 16, 2021, 6:03 p.m.	snapshot_handle: 0x000002a8 process_name: taskhost.exe process_identifier: 2020	1	1
Process32NextW April 16, 2021, 6:03 p.m.	snapshot_handle: 0x000002a8 process_name: file.txt process_identifier: 3028	1	1
Process32NextW April 16, 2021, 6:03 p.m.	snapshot_handle: 0x000002a8 process_name: WmiPrvSE.exe process_identifier: 2740	1	1
Process32NextW April 16, 2021, 6:04 p.m.	snapshot_handle: 0x00000130 process_name: file.txt process_identifier: 2608	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00046200', u'virtual_address': u'0x00002000', u'entropy': 7.133367510553625, u'name': u'.text', u'virtual_size': u'0x000461f0'}

entropy

7.13336751055

description

A section with a high entropy has been found

entropy

0.992920353982

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 16, 2021, 6:01 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (37 events)

description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Take screenshot	rule	screenshot
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 77 events)

Time & API	Arguments	Status
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW April 16, 2021, 6:03 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
cmdline	"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
cmdline	"wmic" path win32_PingStatus where address='vladisfoxlink.ru' get StatusCode /FORMAT:List
cmdline	"wmic" os get caption /FORMAT:List
cmdline	"wmic" path win32_VideoController get caption /FORMAT:List
cmdline	"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
cmdline	"wmic" path win32_PingStatus where address='vladisfoxlink.ru' get ResponseTime /FORMAT:List

Executes one or more WMI queries which can be used to identify virtual machines (2 events)

wmi	SELECT VolumeName FROM Win32_LogicalDisk WHERE DriveType=4
wmi	SELECT IPAddress FROM win32_NetworkAdapterConfiguration WHERE IPEnabled=1

Communicates with host for which no DNS query was performed (2 events)

host	131.153.76.130
host	88.99.66.31

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 3028 region_size: 217088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000310	1	0	0
NtAllocateVirtualMemory April 16, 2021, 6:03 p.m.	process_identifier: 2608 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0	1	0	0

Attempts to identify installed AV products by installation directory (11 events)

file	C:\Program Files\AVAST Software\Avast\avastUI.exe
file	C:\Program Files (x86)\AVAST Software\Avast\avastUI.exe
file	C:\Program Files\AVAST Software
file	C:\Program Files (x86)\AVAST Software
file	C:\Program Files\Kaspersky Lab
file	C:\Program Files (x86)\Kaspersky Lab
file	C:\Program Files\McAfee\Agent
file	C:\Program Files\Trend Micro
file	C:\Program Files (x86)\Trend Micro
file	C:\Program Files\AVG\Antivirus\AVGUI.exe
file	C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe

Executes one or more WMI queries (7 events)

wmi	SELECT StatusCode FROM win32_PingStatus WHERE address='vladisfoxlink.ru'
wmi	SELECT IPAddress FROM win32_NetworkAdapterConfiguration WHERE IPEnabled=1
wmi	SELECT ResponseTime FROM win32_PingStatus WHERE address='vladisfoxlink.ru'
wmi	SELECT displayName FROM AntiVirusProduct
wmi	SELECT Caption FROM win32_VideoController
wmi	SELECT VolumeName FROM Win32_LogicalDisk WHERE DriveType=4
wmi	SELECT caption FROM Win32_OperatingSystem

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELuÞ`à2t¬@Pì"@'X.codeQ `.text_ì î `.rdata,ghx@@.dataøB:à@À base_address: 0x00400000 process_identifier: 3028 process_handle: 0x00000310	1	1
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3028 process_handle: 0x00000310	1	1
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $³Lî¨÷-û÷-û÷-û4"ßûõ-û4"Ýûá-û Àûü-û-ûü-û÷-û§,û ûô-ûÐëòûÍ-ûÐëüûö-ûÐëøûö-ûRich÷-ûPEL´Ë^àÐJôfà@Àáµlvð0 äàl.textJÏÐ `.rdataÊà®Ô@@.dataä@À.rsrc0@@ base_address: 0x00400000 process_identifier: 2608 process_handle: 0x000002b0	1	1
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2608 process_handle: 0x000002b0	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELuÞ`à2t¬@Pì"@'X.codeQ `.text_ì î `.rdata,ghx@@.dataøB:à@À base_address: 0x00400000 process_identifier: 3028 process_handle: 0x00000310	1	1	0
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $³Lî¨÷-û÷-û÷-û4"ßûõ-û4"Ýûá-û Àûü-û-ûü-û÷-û§,û ûô-ûÐëòûÍ-ûÐëüûö-ûÐëøûö-ûRich÷-ûPEL´Ë^àÐJôfà@Àáµlvð0 äàl.textJÏÐ `.rdataÊà®Ô@@.dataä@À.rsrc0@@ base_address: 0x00400000 process_identifier: 2608 process_handle: 0x000002b0	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW April 16, 2021, 6:03 p.m.	key_handle: 0x000002a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.1f130569a8373dfa
McAfee	Artemis!1F130569A837
Alibaba	Trojan:Win32/Kryptik.ali2000016
Cybereason	malicious.37ade7
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.JNYPLQU
APEX	Malicious
Avast	FileRepMalware
Kaspersky	UDS:DangerousObject.Multi.Generic
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_70% (W)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1756 called NtSetContextThread to modify thread in remote process 3028
Process injection	Process 3028 called NtSetContextThread to modify thread in remote process 2608
NtSetContextThread April 16, 2021, 6:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000030c process_identifier: 3028	1	0	0
NtSetContextThread April 16, 2021, 6:03 p.m.	registers.eip: 2000355780 registers.esp: 3276072 registers.edi: 0 registers.eax: 4482804 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d8 process_identifier: 2608	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1756 resumed a thread in remote process 3028
Process injection	Process 3028 resumed a thread in remote process 2608
NtResumeThread April 16, 2021, 6:01 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 3028	1	0	0
NtResumeThread April 16, 2021, 6:03 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2608	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (36 events)

Time & API	Arguments	Status	Return
NtResumeThread April 16, 2021, 6:01 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1756	1	0
NtResumeThread April 16, 2021, 6:01 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1756	1	0
NtResumeThread April 16, 2021, 6:01 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1756	1	0
NtResumeThread April 16, 2021, 6:01 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1756	1	0
NtResumeThread April 16, 2021, 6:01 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 1756	1	0
CreateProcessInternalW April 16, 2021, 6:01 p.m.	thread_identifier: 1120 thread_handle: 0x0000030c process_identifier: 3028 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\file.txt track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\file.txt stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000310	1	1
NtGetContextThread April 16, 2021, 6:01 p.m.	thread_handle: 0x0000030c	1	0
NtAllocateVirtualMemory April 16, 2021, 6:01 p.m.	process_identifier: 3028 region_size: 217088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000310	1	0
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELuÞ`à2t¬@Pì"@'X.codeQ `.text_ì î `.rdata,ghx@@.dataøB:à@À base_address: 0x00400000 process_identifier: 3028 process_handle: 0x00000310	1	1
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: base_address: 0x00401000 process_identifier: 3028 process_handle: 0x00000310	1	1
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: base_address: 0x0040a000 process_identifier: 3028 process_handle: 0x00000310	1	1
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: base_address: 0x00429000 process_identifier: 3028 process_handle: 0x00000310	1	1
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: base_address: 0x00430000 process_identifier: 3028 process_handle: 0x00000310	1	1
WriteProcessMemory April 16, 2021, 6:01 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3028 process_handle: 0x00000310	1	1
NtSetContextThread April 16, 2021, 6:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4198400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000030c process_identifier: 3028	1	0
NtResumeThread April 16, 2021, 6:01 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 3028	1	0
CreateProcessInternalW April 16, 2021, 6:03 p.m.	thread_identifier: 2880 thread_handle: 0x00000294 process_identifier: 2716 current_directory: filepath: track: 1 command_line: "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x000002a0	1	1
CreateProcessInternalW April 16, 2021, 6:03 p.m.	thread_identifier: 1884 thread_handle: 0x0000029c process_identifier: 2316 current_directory: filepath: track: 1 command_line: "wmic" os get caption /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x00000298	1	1
CreateProcessInternalW April 16, 2021, 6:03 p.m.	thread_identifier: 1972 thread_handle: 0x00000294 process_identifier: 1108 current_directory: filepath: track: 1 command_line: "wmic" path win32_VideoController get caption /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x000002a0	1	1
CreateProcessInternalW April 16, 2021, 6:03 p.m.	thread_identifier: 2480 thread_handle: 0x000002a0 process_identifier: 2252 current_directory: filepath: track: 1 command_line: "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x00000298	1	1
CreateProcessInternalW April 16, 2021, 6:03 p.m.	thread_identifier: 1444 thread_handle: 0x00000294 process_identifier: 900 current_directory: filepath: track: 1 command_line: "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x0000029c	1	1
CreateProcessInternalW April 16, 2021, 6:03 p.m.	thread_identifier: 2532 thread_handle: 0x000002a8 process_identifier: 2824 current_directory: filepath: track: 1 command_line: "wmic" path win32_PingStatus where address='vladisfoxlink.ru' get StatusCode /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x000002b0	1	1
CreateProcessInternalW April 16, 2021, 6:03 p.m.	thread_identifier: 1552 thread_handle: 0x000002ac process_identifier: 2684 current_directory: filepath: track: 1 command_line: "wmic" path win32_PingStatus where address='vladisfoxlink.ru' get ResponseTime /FORMAT:List filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x000002a4	1	1
CreateProcessInternalW April 16, 2021, 6:03 p.m.	thread_identifier: 656 thread_handle: 0x000002d8 process_identifier: 2608 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\file.txt track: 1 command_line: /scomma "C:\Users\test22\AppData\Local\Temp\1.log" filepath_r: C:\Users\test22\AppData\Local\Temp\file.txt stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtUnmapViewOfSection April 16, 2021, 6:03 p.m.	base_address: 0x00400000 region_size: 1994129408 process_identifier: 2608 process_handle: 0x000002b0		3221225497
NtAllocateVirtualMemory April 16, 2021, 6:03 p.m.	process_identifier: 2608 region_size: 507904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0	1	0
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $³Lî¨÷-û÷-û÷-û4"ßûõ-û4"Ýûá-û Àûü-û-ûü-û÷-û§,û ûô-ûÐëòûÍ-ûÐëüûö-ûÐëøûö-ûRich÷-ûPEL´Ë^àÐJôfà@Àáµlvð0 äàl.textJÏÐ `.rdataÊà®Ô@@.dataä@À.rsrc0@@ base_address: 0x00400000 process_identifier: 2608 process_handle: 0x000002b0	1	1
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: base_address: 0x00401000 process_identifier: 2608 process_handle: 0x000002b0	1	1
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: base_address: 0x0044e000 process_identifier: 2608 process_handle: 0x000002b0	1	1
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: base_address: 0x00459000 process_identifier: 2608 process_handle: 0x000002b0	1	1
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: base_address: 0x00473000 process_identifier: 2608 process_handle: 0x000002b0	1	1
NtGetContextThread April 16, 2021, 6:03 p.m.	thread_handle: 0x000002d8	1	0
WriteProcessMemory April 16, 2021, 6:03 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2608 process_handle: 0x000002b0	1	1
NtSetContextThread April 16, 2021, 6:03 p.m.	registers.eip: 2000355780 registers.esp: 3276072 registers.edi: 0 registers.eax: 4482804 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d8 process_identifier: 2608	1	0
NtResumeThread April 16, 2021, 6:03 p.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2608	1	0
NtResumeThread April 16, 2021, 6:03 p.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2608	1	0

file.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All