Summary | ZeroBOX

Category	Machine	Started	Completed
URL	s1_win7_x3201	June 17, 2021, 1:35 p.m.	June 17, 2021, 1:37 p.m.

URL	http://srand04rf.ru/f7juhkryu4.exe
File	dee4bb7d46bbbec6_f7juhkryu4[1].exe
Size	266.5KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`270c3859591599642bd15167765246e3`
SHA256	`dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019`
CRC32	`D9D2C587`
ssdeep	`6144:Rxa4Hg2gf0jOrkOWnNwZvbMoq2T4qi+AHPHrr:JHg727Nwyo9Av/`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Ficker_Stealer_Zero - Ficker Stealer

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" http://srand04rf.ru/f7juhkryu4.exe
5224
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:5224 CREDAT:79873
  5400
  - f7juhkryu4[1].exe "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe"
    3016

Name	Response	Post-Analysis Lookup
api.ipify.org	A 50.16.226.23 CNAME nagano-19599.herokussl.com A 54.225.210.209 A 50.19.92.227 A 107.22.233.72 A 23.21.224.49 A 54.225.78.40 A 54.243.175.83 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com A 54.235.194.223	54.243.175.83
srand04rf.ru	A 8.209.119.208	8.209.119.208
pospvisis.com	A 185.66.15.228 A 92.62.115.177	185.66.15.228

IP Address	Status	Action
13.107.21.200	Active	Moloch
164.124.101.2	Active	Moloch
50.19.92.227	Active	Moloch
8.209.119.208	Active	Moloch
92.62.115.177	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 92.62.115.177:80 -> 192.168.56.103:49608	2031074	ET MALWARE Win32/Ficker Stealer Activity	A Network Trojan was detected
TCP 192.168.56.103:49608 -> 92.62.115.177:80	2031132	ET MALWARE Win32/Ficker Stealer Activity M3	A Network Trojan was detected
TCP 192.168.56.103:49606 -> 50.19.92.227:80	2029622	ET POLICY External IP Lookup (ipify .org)	Potential Corporate Privacy Violation
TCP 8.209.119.208:80 -> 192.168.56.103:49600	2014819	ET INFO Packed Executable Download	Misc activity
TCP 8.209.119.208:80 -> 192.168.56.103:49600	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 92.62.115.177:80 -> 192.168.56.103:49609	2031074	ET MALWARE Win32/Ficker Stealer Activity	A Network Trojan was detected
TCP 192.168.56.103:49609 -> 92.62.115.177:80	2031132	ET MALWARE Win32/Ficker Stealer Activity M3	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 17, 2021, 1:35 p.m.	computer_name: WIN7-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 17, 2021, 1:35 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 17, 2021, 1:35 p.m.	stacktrace: RpcRaiseException+0x4b RpcExceptionFilter-0xf rpcrt4+0x1e106 @ 0x7799e106 DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x770ff725 RpcMgmtSetCancelTimeout+0x107 NdrMesTypeAlignSize2-0x28 rpcrt4+0x24926 @ 0x779a4926 WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x770fc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x76ff98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x76ffb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x76ffb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x76ffb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x76ffa66e CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x76ffa817 CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x76ffa781 CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x76ffaaf3 WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x770fd380 CoInternetIsFeatureZoneElevationEnabled+0x5f0b GetClassURL-0x1db41 urlmon+0x482bf @ 0x777d82bf RegisterBindStatusCallback+0xfc6 CoInternetCanonicalizeIUri-0x1f3 urlmon+0x1767f @ 0x777a767f AddUrlToFavorites+0xb318 DoFileDownload-0x5803 ieframe+0x1b3829 @ 0x6e923829 AddUrlToFavorites+0x9ab2 DoFileDownload-0x7069 ieframe+0x1b1fc3 @ 0x6e921fc3 AddUrlToFavorites+0xadee DoFileDownload-0x5d2d ieframe+0x1b32ff @ 0x6e9232ff AddUrlToFavorites+0x101ed DoFileDownload-0x92e ieframe+0x1b86fe @ 0x6e9286fe gapfnScSendMessage+0x1cf DispatchMessageW-0x77a user32+0x1c4e7 @ 0x761dc4e7 CreateDialogParamW+0x54c DefDlgProcW-0x45 user32+0x35b7c @ 0x761f5b7c CreateDialogParamW+0x3c3 DefDlgProcW-0x1ce user32+0x359f3 @ 0x761f59f3 DefDlgProcW+0x22 MapVirtualKeyA-0x455 user32+0x35be3 @ 0x761f5be3 gapfnScSendMessage+0x1cf DispatchMessageW-0x77a user32+0x1c4e7 @ 0x761dc4e7 gapfnScSendMessage+0x2cf DispatchMessageW-0x67a user32+0x1c5e7 @ 0x761dc5e7 gapfnScSendMessage+0x901 DispatchMessageW-0x48 user32+0x1cc19 @ 0x761dcc19 DispatchMessageW+0xf TranslateMessageEx-0x9 user32+0x1cc70 @ 0x761dcc70 AddUrlToFavorites+0xafec DoFileDownload-0x5b2f ieframe+0x1b34fd @ 0x6e9234fd DllInstall+0x3d45 IEGetWriteableHKCU-0x5392 ieframe+0x199a65 @ 0x6e909a65 BaseThreadInitThunk+0x12 SetUnhandledExceptionFilter-0xbc kernel32+0x53c45 @ 0x762e3c45 RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5 RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8 exception.instruction_r: c9 c2 10 00 89 45 c0 eb ed 64 a1 18 00 00 00 8b exception.symbol: RaiseException+0x54 BaseReleaseProcessDllPath-0x100 kernelbase+0xb760 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80010012 exception.offset: 46944 exception.address: 0x75d8b760 registers.esp: 79491260 registers.edi: 1996552720 registers.eax: 79491260 registers.ebp: 79491340 registers.edx: 5039504 registers.ebx: 5262740 registers.esi: 2147549202 registers.ecx: 121349043	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 17, 2021, 1:35 p.m.

stacktrace:

RpcRaiseException+0x4b RpcExceptionFilter-0xf rpcrt4+0x1e106 @ 0x7799e106
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x770ff725
RpcMgmtSetCancelTimeout+0x107 NdrMesTypeAlignSize2-0x28 rpcrt4+0x24926 @ 0x779a4926
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x770fc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x76ff98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x76ffb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x76ffb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x76ffb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x76ffa66e
CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x76ffa817
CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x76ffa781
CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x76ffaaf3
WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x770fd380
CoInternetIsFeatureZoneElevationEnabled+0x5f0b GetClassURL-0x1db41 urlmon+0x482bf @ 0x777d82bf
RegisterBindStatusCallback+0xfc6 CoInternetCanonicalizeIUri-0x1f3 urlmon+0x1767f @ 0x777a767f
AddUrlToFavorites+0xb318 DoFileDownload-0x5803 ieframe+0x1b3829 @ 0x6e923829
AddUrlToFavorites+0x9ab2 DoFileDownload-0x7069 ieframe+0x1b1fc3 @ 0x6e921fc3
AddUrlToFavorites+0xadee DoFileDownload-0x5d2d ieframe+0x1b32ff @ 0x6e9232ff
AddUrlToFavorites+0x101ed DoFileDownload-0x92e ieframe+0x1b86fe @ 0x6e9286fe
gapfnScSendMessage+0x1cf DispatchMessageW-0x77a user32+0x1c4e7 @ 0x761dc4e7
CreateDialogParamW+0x54c DefDlgProcW-0x45 user32+0x35b7c @ 0x761f5b7c
CreateDialogParamW+0x3c3 DefDlgProcW-0x1ce user32+0x359f3 @ 0x761f59f3
DefDlgProcW+0x22 MapVirtualKeyA-0x455 user32+0x35be3 @ 0x761f5be3
gapfnScSendMessage+0x1cf DispatchMessageW-0x77a user32+0x1c4e7 @ 0x761dc4e7
gapfnScSendMessage+0x2cf DispatchMessageW-0x67a user32+0x1c5e7 @ 0x761dc5e7
gapfnScSendMessage+0x901 DispatchMessageW-0x48 user32+0x1cc19 @ 0x761dcc19
DispatchMessageW+0xf TranslateMessageEx-0x9 user32+0x1cc70 @ 0x761dcc70
AddUrlToFavorites+0xafec DoFileDownload-0x5b2f ieframe+0x1b34fd @ 0x6e9234fd
DllInstall+0x3d45 IEGetWriteableHKCU-0x5392 ieframe+0x199a65 @ 0x6e909a65
BaseThreadInitThunk+0x12 SetUnhandledExceptionFilter-0xbc kernel32+0x53c45 @ 0x762e3c45
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8

exception.instruction_r: c9 c2 10 00 89 45 c0 eb ed 64 a1 18 00 00 00 8b
exception.symbol: RaiseException+0x54 BaseReleaseProcessDllPath-0x100 kernelbase+0xb760
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80010012
exception.offset: 46944
exception.address: 0x75d8b760
registers.esp: 79491260
registers.edi: 1996552720
registers.eax: 79491260
registers.ebp: 79491340
registers.edx: 5039504
registers.ebx: 5262740
registers.esi: 2147549202
registers.ecx: 121349043

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET http://www.bing.com/favicon.ico
request	GET http://srand04rf.ru/f7juhkryu4.exe
request	GET http://api.ipify.org/?format=xml

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

srand04rf.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x5fff0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761e3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7620c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7620d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ac3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b67000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772a9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76122000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72322000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x5fff0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761e3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7620c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7620d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ac3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b67000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772a9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76122000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x5fff0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7621e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761e3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7620c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7620d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ac3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b67000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x772a9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76122000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77009000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761ca000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 5400 crashed
__exception__ June 17, 2021, 1:35 p.m.	stacktrace: RpcRaiseException+0x4b RpcExceptionFilter-0xf rpcrt4+0x1e106 @ 0x7799e106 DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x770ff725 RpcMgmtSetCancelTimeout+0x107 NdrMesTypeAlignSize2-0x28 rpcrt4+0x24926 @ 0x779a4926 WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x770fc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x76ff98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x76ffb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x76ffb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x76ffb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x76ffa66e CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x76ffa817 CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x76ffa781 CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x76ffaaf3 WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x770fd380 CoInternetIsFeatureZoneElevationEnabled+0x5f0b GetClassURL-0x1db41 urlmon+0x482bf @ 0x777d82bf RegisterBindStatusCallback+0xfc6 CoInternetCanonicalizeIUri-0x1f3 urlmon+0x1767f @ 0x777a767f AddUrlToFavorites+0xb318 DoFileDownload-0x5803 ieframe+0x1b3829 @ 0x6e923829 AddUrlToFavorites+0x9ab2 DoFileDownload-0x7069 ieframe+0x1b1fc3 @ 0x6e921fc3 AddUrlToFavorites+0xadee DoFileDownload-0x5d2d ieframe+0x1b32ff @ 0x6e9232ff AddUrlToFavorites+0x101ed DoFileDownload-0x92e ieframe+0x1b86fe @ 0x6e9286fe gapfnScSendMessage+0x1cf DispatchMessageW-0x77a user32+0x1c4e7 @ 0x761dc4e7 CreateDialogParamW+0x54c DefDlgProcW-0x45 user32+0x35b7c @ 0x761f5b7c CreateDialogParamW+0x3c3 DefDlgProcW-0x1ce user32+0x359f3 @ 0x761f59f3 DefDlgProcW+0x22 MapVirtualKeyA-0x455 user32+0x35be3 @ 0x761f5be3 gapfnScSendMessage+0x1cf DispatchMessageW-0x77a user32+0x1c4e7 @ 0x761dc4e7 gapfnScSendMessage+0x2cf DispatchMessageW-0x67a user32+0x1c5e7 @ 0x761dc5e7 gapfnScSendMessage+0x901 DispatchMessageW-0x48 user32+0x1cc19 @ 0x761dcc19 DispatchMessageW+0xf TranslateMessageEx-0x9 user32+0x1cc70 @ 0x761dcc70 AddUrlToFavorites+0xafec DoFileDownload-0x5b2f ieframe+0x1b34fd @ 0x6e9234fd DllInstall+0x3d45 IEGetWriteableHKCU-0x5392 ieframe+0x199a65 @ 0x6e909a65 BaseThreadInitThunk+0x12 SetUnhandledExceptionFilter-0xbc kernel32+0x53c45 @ 0x762e3c45 RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5 RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8 exception.instruction_r: c9 c2 10 00 89 45 c0 eb ed 64 a1 18 00 00 00 8b exception.symbol: RaiseException+0x54 BaseReleaseProcessDllPath-0x100 kernelbase+0xb760 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80010012 exception.offset: 46944 exception.address: 0x75d8b760 registers.esp: 79491260 registers.edi: 1996552720 registers.eax: 79491260 registers.ebp: 79491340 registers.edx: 5039504 registers.ebx: 5262740 registers.esi: 2147549202 registers.ecx: 121349043	1	0	0

Application Crash

Process iexplore.exe with pid 5400 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

June 17, 2021, 1:35 p.m.

stacktrace:

RpcRaiseException+0x4b RpcExceptionFilter-0xf rpcrt4+0x1e106 @ 0x7799e106
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x770ff725
RpcMgmtSetCancelTimeout+0x107 NdrMesTypeAlignSize2-0x28 rpcrt4+0x24926 @ 0x779a4926
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x770fc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x76ff98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x76ffb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x76ffb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x76ffb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x76ffa66e
CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x76ffa817
CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x76ffa781
CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x76ffaaf3
WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x770fd380
CoInternetIsFeatureZoneElevationEnabled+0x5f0b GetClassURL-0x1db41 urlmon+0x482bf @ 0x777d82bf
RegisterBindStatusCallback+0xfc6 CoInternetCanonicalizeIUri-0x1f3 urlmon+0x1767f @ 0x777a767f
AddUrlToFavorites+0xb318 DoFileDownload-0x5803 ieframe+0x1b3829 @ 0x6e923829
AddUrlToFavorites+0x9ab2 DoFileDownload-0x7069 ieframe+0x1b1fc3 @ 0x6e921fc3
AddUrlToFavorites+0xadee DoFileDownload-0x5d2d ieframe+0x1b32ff @ 0x6e9232ff
AddUrlToFavorites+0x101ed DoFileDownload-0x92e ieframe+0x1b86fe @ 0x6e9286fe
gapfnScSendMessage+0x1cf DispatchMessageW-0x77a user32+0x1c4e7 @ 0x761dc4e7
CreateDialogParamW+0x54c DefDlgProcW-0x45 user32+0x35b7c @ 0x761f5b7c
CreateDialogParamW+0x3c3 DefDlgProcW-0x1ce user32+0x359f3 @ 0x761f59f3
DefDlgProcW+0x22 MapVirtualKeyA-0x455 user32+0x35be3 @ 0x761f5be3
gapfnScSendMessage+0x1cf DispatchMessageW-0x77a user32+0x1c4e7 @ 0x761dc4e7
gapfnScSendMessage+0x2cf DispatchMessageW-0x67a user32+0x1c5e7 @ 0x761dc5e7
gapfnScSendMessage+0x901 DispatchMessageW-0x48 user32+0x1cc19 @ 0x761dcc19
DispatchMessageW+0xf TranslateMessageEx-0x9 user32+0x1cc70 @ 0x761dcc70
AddUrlToFavorites+0xafec DoFileDownload-0x5b2f ieframe+0x1b34fd @ 0x6e9234fd
DllInstall+0x3d45 IEGetWriteableHKCU-0x5392 ieframe+0x199a65 @ 0x6e909a65
BaseThreadInitThunk+0x12 SetUnhandledExceptionFilter-0xbc kernel32+0x53c45 @ 0x762e3c45
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8

Steals private information from local Internet browsers (5 events)

file	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local State
file	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (1 event)

file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (35 events)

Time & API	Arguments	Status	Return
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: smss.exe process_identifier: 276	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: csrss.exe process_identifier: 352	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: wininit.exe process_identifier: 400	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: csrss.exe process_identifier: 408	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: winlogon.exe process_identifier: 448	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: services.exe process_identifier: 492	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: lsass.exe process_identifier: 508	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: lsm.exe process_identifier: 516	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 616	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 696	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 788	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 832	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 872	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 1024	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 1128	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: spoolsv.exe process_identifier: 1252	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 1280	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: taskhost.exe process_identifier: 1436	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 1468	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: sppsvc.exe process_identifier: 1916	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 124	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: svchost.exe process_identifier: 316	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: dwm.exe process_identifier: 1332	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: explorer.exe process_identifier: 1624	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: GrooveMonitor.exe process_identifier: 2084	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: pw.exe process_identifier: 2116	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: SearchIndexer.exe process_identifier: 2336	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: wmpnetwk.exe process_identifier: 1960	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: audiodg.exe process_identifier: 4860	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: pw.exe process_identifier: 5328	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: taskhost.exe process_identifier: 7224	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: slui.exe process_identifier: 8032	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: SearchProtocolHost.exe process_identifier: 5124	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: SearchFilterHost.exe process_identifier: 3948	1	1
Process32NextW June 17, 2021, 1:35 p.m.	snapshot_handle: 0x000003ac process_name: f7juhkryu4[1].exe process_identifier: 3016	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 17, 2021, 1:35 p.m.	process_identifier: 5224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x029a0000 process_handle: 0xffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (50 out of 473 events)

url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16jwTh.img?h=75
url	http://ib.adnxs.com/async_usersync_file
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16jyJT.img?h=194
url	http://175.208.134.150:8282/test/test.eml
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16jXod.img?h=75
url	https://www.adobe.com/etc.clientlibs/beagle/fe/adobe-head.min.fp-49c976728c560175ef3915d2bbcaa219.js
url	https://www.winzip.com/static/css/footer.css
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16jVxR.img?h=75
url	https://www.adobe.com/etc.clientlibs/globalnav/clientlibs/base/feds.js
url	http://ns.adobe.com/photoshop/1.0/
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15WEhx.img?h=75
url	https://check.torproject.org
url	https://www.adobe.com/etc.fps.clientlibs/beagle/fe/resources/js/aceui-reimagine.min.fp-46d231648420acef91191168b1b30762.js
url	http://ns.adobe.com/exif/1.0/
url	https://www.winzip.com/static/css/leap-over-promo.css
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16jn2i.img?h=75
url	https://www.adobe.com/etc.clientlibs/beagle/fe/liveperson.min.fp-0232b34deadc0421a8b6a57415f16562.css
url	https://support.
url	http://www.e-szigno.hu/SZSZ/0
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://www.quovadis.bm0
url	http://www.microsoft.com/money
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAbCGCU.img?h=16
url	http://www.chambersign.org1
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16juv5.img?h=194
url	https://www.gstatic.com/m/images/sy_stars_9.gif
url	http://certificates.starfieldtech.com/repository/1604
url	https://www.google.com/chrome/static/css/main.v2.min.css
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16jug1.img?h=194
url	https://www.microsoft.com/onerfstatics/marketingsites-eas-prod/korean/iegallery/_scrf/css/themes=default.device=uplevel_web_pc_midlevel/8b-a47527/81-97d559/21-7d6c87/81-e5bb90?ver=2.0
url	https://www.winzip.com/static/images/learn/tutorials/zip.png
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJz5h3.img?h=16
url	http://www.xi-soft.com/downloads/NXSetup_x86.zip
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16ckHa.img?h=194
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	https://www.google.com/chrome/static/images/benefits/module-4/connected_global_desktop.png
url	http://www.microsoft.com/library/images/gifs/ticker/white.bmp
url	https://www.microsoft.com/mwf/_h/v3.54/mwf.app/fonts/mwfmdl2-v3.54.woff2)%20format(%22woff2%22)
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16eU9W.img?h=75
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
url	https://www.netlock.net/docs
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB169raL.img?h=194
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16jOrw.img?h=75
url	https://www.winzip.com/static/javascript/lang.js
url	http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16jvkk.img?h=75
url	https://www.facebook.com/chat/video/vide
url	http://www.certplus.com/CRL/class3TS.crl0

Yara rule detected in process memory (42 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 101 events)

Time & API	Arguments	Status
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 78.0.1 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 78.0.1 (x86 ko)	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 78.0.1 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 78.0.1 (x86 ko)	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F457224-ED0D-3CC6-8E45-576E4E72D2E2} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F457224-ED0D-3CC6-8E45-576E4E72D2E2}	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F457224-ED0D-3CC6-8E45-576E4E72D2E2} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F457224-ED0D-3CC6-8E45-576E4E72D2E2}	1
RegOpenKeyExW June 17, 2021, 1:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe"
cmdline	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe
cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:5224 CREDAT:79873

Modifies the ZoneTransfer.ZoneID in Zone.Identifier ADS, generally to disable security warnings (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 17, 2021, 1:35 p.m.	create_disposition: 3 (FILE_OPEN_IF) file_handle: 0x000006a4 filepath: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe:Zone.Identifier desired_access: 0xc0100000 (SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 128 (FILE_ATTRIBUTE_NORMAL) filepath_r: \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe:Zone.Identifier create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0
NtWriteFile June 17, 2021, 1:35 p.m.	buffer: [ZoneTransfer] ZoneId=3 offset: 0 file_handle: 0x000006a4 filepath: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe:Zone.Identifier	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

13.107.21.200

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\Administrator\AppData\Roaming\Bitcoin\wallets
file	C:\Users\Administrator\AppData\Roaming\Electrum\wallets

Drops a binary and executes it (1 event)

file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe

Harvests credentials from local FTP client softwares (1 event)

registry

HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\Administrator\AppData\Roaming\.purple\accounts.xml

Collects information about installed applications (36 events)

Time & API	Arguments	Status
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Firefox 78.0.1 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 78.0.1 (x86 ko)\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F457224-ED0D-3CC6-8E45-576E4E72D2E2}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.17 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9255D53C-6C21-4664-AAF3-6EAC50F867D9}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F612429-4A00-3D44-88CF-146DA2EE1F92}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Reader 9 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	1
RegQueryValueExW June 17, 2021, 1:35 p.m.	key_handle: 0x00000378 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한글과컴퓨터 한글 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2423C36-006E-4270-AEBC-CFC4CAF2C310}\DisplayName	1

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Sophos	malware site
CRDF	malicious site
Fortinet	malware site
Trustwave	malicious site
CyRadar	malicious site
Webroot	malicious site
Avira	malware site
AegisLab WebGuard	malicious site
ESTsecurity-Threat Inside	malicious site
Kaspersky	malware site
URLhaus	malicious site
Spamhaus	malware site
G-Data	malware site
Forcepoint ThreatSeeker	malicious site
ESET	malware site
SCUMWARE_org	malware site

One or more non-whitelisted processes were created (2 events)

parent_process	iexplore.exe				martian_process	"C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe"
parent_process	iexplore.exe				martian_process	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF0IKJEB\f7juhkryu4[1].exe

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (3 events)

url	http://175.208.134.150:8282/test/test.eml
url	http://175.208.134.150:8282/favicon.ico
url	http://175.208.134.150:8282/test/doc1.zip

url	https://check.torproject.org

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\Administrator\AppData\Roaming\Exodus\exodus.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5224 resumed a thread in remote process 5400
NtResumeThread June 17, 2021, 1:35 p.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 5400	1	0	0

Generates some ICMP traffic

http://srand04rf.ru/f7juhkryu4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All