Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 11:33 a.m.	June 25, 2021, 11:35 a.m.

Size	13.3MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`438e38292895c8ea8dc60ccae621dec2`
SHA256	`7010be12a111333ab5bff9b8ca3b84e71bea912a84d2f24661541c2cf50596c4`
CRC32	`BFDB0F83`
ssdeep	`196608:EHGwaO5oVJLLTMzpl/+LMzQ8dBUaPEAJnEnukG0ulw44xdwhwpQPoj7+:NwvKVQzr/+7EU4EMnP0uluwaVG`
Yara	IsPE64 - (no description) Antivirus - Contains references to security software OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet

pcad164.exe "C:\Users\test22\AppData\Local\Temp\pcad164.exe"
2616
- cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Windows\pshrjkgk\svzwipnvdb.exe"
  4636
  - svzwipnvdb.exe C:\Windows\pshrjkgk\svzwipnvdb.exe
    8620
    - net.exe net stop windefend
      5752
      - net1.exe C:\Windows\system32\net1 stop windefend
        4964
    - sc.exe sc stop WinDefend
      3724
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      7076
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        4376
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      6304
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        7608
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      6660
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        6960
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      4828
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        2540
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      6344
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        6104
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      8044
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        7684
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      3824
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        6620
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      6508
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        7728
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      8436
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        4308
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      7856
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        1136
    - cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"
      6548
      - userfsp.exe C:\Windows\PLA\userfsp.exe
        8540
- msiexec.exe msiexec /x {6444D213-9395-442A-A7D8-EAFEA7948BA7} /qn
  6676
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\mokill.bat" "
  7184

Name	Response	Post-Analysis Lookup
checkip.dyndns.org	A 131.186.161.70 A 216.146.43.70 A 216.146.43.71 CNAME checkip.dyndns.com A 131.186.113.70 A 162.88.193.70	216.146.43.71

IP Address	Status	Action
13.209.83.196	Active	Moloch
131.186.161.70	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2012758	ET INFO DYNAMIC_DNS Query to *.dyndns. Domain	Misc activity
TCP 192.168.56.102:49817 -> 131.186.161.70:80	2021378	ET POLICY External IP Lookup - checkip.dyndns.org	Device Retrieving External IP Address Detected
TCP 131.186.161.70:80 -> 192.168.56.102:49817	2014932	ET POLICY DynDNS CheckIp External IP Address Server Response	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 25, 2021, 11:33 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA June 25, 2021, 11:33 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 56 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:33 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:34 a.m.			0	0

Command line console output was observed (17 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: [SC] ControlService FAILED 1062: The service has not been started. console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: The Windows Defender service is not started. console_handle: 0x0000000b	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: More help is available by typing NET HELPMSG 3521. console_handle: 0x0000000b	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: /f /s /q "C:\Users\test22\AppData\Local\Temp\pcad164.exe" console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\pcad164.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: if console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp\pcad164.exe" console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: goto console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: Repeat console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: /s /q "mokill.bat" console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\mokill.bat console_handle: 0x0000000000000007	1	1
WriteConsoleW June 25, 2021, 11:33 a.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

FILE

One or more processes crashed (50 out of 133 events)

Time & API	Arguments	Status
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: svzwipnvdb+0xb080b9 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 11567289 exception.address: 0x15a80b9 registers.esp: 3603420 registers.edi: 0 registers.eax: 1 registers.ebp: 3603436 registers.edx: 24383488 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 52 e9 e0 fa ff ff 81 f6 a8 exception.symbol: svzwipnvdb+0x86c4f9 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 8832249 exception.address: 0x130c4f9 registers.esp: 3603384 registers.edi: 1970405608 registers.eax: 27082 registers.ebp: 4009992212 registers.edx: 11141120 registers.ebx: 19971546 registers.esi: 3 registers.ecx: 1970601984	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 e9 80 f5 ff ff 5a e9 0e 00 00 00 exception.symbol: svzwipnvdb+0x86c8b0 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 8833200 exception.address: 0x130c8b0 registers.esp: 3603388 registers.edi: 1970405608 registers.eax: 27082 registers.ebp: 4009992212 registers.edx: 11141120 registers.ebx: 19998628 registers.esi: 3 registers.ecx: 1970601984	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 81 ef 04 00 00 00 exception.symbol: svzwipnvdb+0x86c6aa exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 8832682 exception.address: 0x130c6aa registers.esp: 3603388 registers.edi: 4151333304 registers.eax: 27082 registers.ebp: 4009992212 registers.edx: 11141120 registers.ebx: 19974528 registers.esi: 0 registers.ecx: 1970601984	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 94 f9 f5 1e ff 34 24 8b 0c 24 81 c4 04 00 exception.symbol: svzwipnvdb+0x86d34c exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 8835916 exception.address: 0x130d34c registers.esp: 3603388 registers.edi: 237801 registers.eax: 29402 registers.ebp: 4009992212 registers.edx: 638838016 registers.ebx: 1890273594 registers.esi: 19977843 registers.ecx: 0	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 56 e9 e7 f8 ff ff 89 34 24 e9 00 00 00 00 f7 exception.symbol: svzwipnvdb+0x9ea8c4 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10397892 exception.address: 0x148a8c4 registers.esp: 3603388 registers.edi: 20011438 registers.eax: 21562386 registers.ebp: 4009992212 registers.edx: 2130566132 registers.ebx: 30671316 registers.esi: 21520115 registers.ecx: 468	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 5b b4 44 0c 89 34 24 89 3c 24 89 0c 24 e9 exception.symbol: svzwipnvdb+0x9ea466 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10396774 exception.address: 0x148a466 registers.esp: 3603388 registers.edi: 659433 registers.eax: 21539246 registers.ebp: 4009992212 registers.edx: 2130566132 registers.ebx: 30671316 registers.esi: 21520115 registers.ecx: 0	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 51 89 1c 24 57 c7 04 24 a9 54 ef 17 e9 2e 00 exception.symbol: svzwipnvdb+0x9ecc5f exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10407007 exception.address: 0x148cc5f registers.esp: 3603388 registers.edi: 21578032 registers.eax: 31193 registers.ebp: 4009992212 registers.edx: 6390853 registers.ebx: 202985 registers.esi: 4294938544 registers.ecx: 2000500858	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 42 05 53 30 89 14 24 ba b5 38 41 5c 81 f2 exception.symbol: svzwipnvdb+0x9ee296 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10412694 exception.address: 0x148e296 registers.esp: 3603384 registers.edi: 6369770 registers.eax: 21551881 registers.ebp: 4009992212 registers.edx: 1899731541 registers.ebx: 202985 registers.esi: 4294938544 registers.ecx: 1970655724	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 65 f8 ff ff 89 d6 89 f0 ff 34 24 e9 d5 fe exception.symbol: svzwipnvdb+0x9ee4ac exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10413228 exception.address: 0x148e4ac registers.esp: 3603388 registers.edi: 6369770 registers.eax: 21582037 registers.ebp: 4009992212 registers.edx: 1899731541 registers.ebx: 202985 registers.esi: 1259 registers.ecx: 4294940060	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 55 89 04 24 89 34 24 51 exception.symbol: svzwipnvdb+0x9f82e0 exception.instruction: in eax, dx exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10453728 exception.address: 0x14982e0 registers.esp: 3603380 registers.edi: 6369770 registers.eax: 1447909480 registers.ebp: 4009992212 registers.edx: 22104 registers.ebx: 1970540725 registers.esi: 21581632 registers.ecx: 20	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: svzwipnvdb+0x9faebb exception.address: 0x149aebb exception.module: svzwipnvdb.exe exception.exception_code: 0xc000001d exception.offset: 10464955 registers.esp: 3603380 registers.edi: 6369770 registers.eax: 1 registers.ebp: 4009992212 registers.edx: 22104 registers.ebx: 0 registers.esi: 21581632 registers.ecx: 20	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 ec 39 2d 12 01 exception.symbol: svzwipnvdb+0x9f9ef4 exception.instruction: in eax, dx exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10460916 exception.address: 0x1499ef4 registers.esp: 3603380 registers.edi: 6369770 registers.eax: 1447909480 registers.ebp: 4009992212 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 21581632 registers.ecx: 10	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 56 e8 03 00 00 00 20 5e c3 5e exception.symbol: svzwipnvdb+0x9fda7b exception.instruction: int 1 exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000005 exception.offset: 10476155 exception.address: 0x149da7b registers.esp: 3603348 registers.edi: 0 registers.eax: 3603348 registers.ebp: 4009992212 registers.edx: 0 registers.ebx: 21617691 registers.esi: 0 registers.ecx: 0	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb be 20 a3 6c 2a 50 89 1c 24 83 ec 04 89 2c 24 exception.symbol: svzwipnvdb+0x9fe83b exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10479675 exception.address: 0x149e83b registers.esp: 3603388 registers.edi: 6369770 registers.eax: 32283 registers.ebp: 4009992212 registers.edx: 2130566068 registers.ebx: 21651413 registers.esi: 4294958004 registers.ecx: 2186108337	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 8e 03 00 00 83 ec 04 e9 10 01 00 00 35 cd exception.symbol: svzwipnvdb+0x9fe787 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10479495 exception.address: 0x149e787 registers.esp: 3603388 registers.edi: 6369770 registers.eax: 2283 registers.ebp: 4009992212 registers.edx: 2130566068 registers.ebx: 21622145 registers.esi: 0 registers.ecx: 2186108337	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 81 3d a2 55 89 2c 24 68 bf 92 ec 7b 5d 52 exception.symbol: svzwipnvdb+0xa057b2 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10508210 exception.address: 0x14a57b2 registers.esp: 3603388 registers.edi: 6369770 registers.eax: 21674551 registers.ebp: 4009992212 registers.edx: 21632807 registers.ebx: 21622145 registers.esi: 0 registers.ecx: 21632807	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 bc fe ff ff 5f e9 0b 00 00 00 8b 2c 24 83 exception.symbol: svzwipnvdb+0xa05fb5 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10510261 exception.address: 0x14a5fb5 registers.esp: 3603388 registers.edi: 0 registers.eax: 21651795 registers.ebp: 4009992212 registers.edx: 21632807 registers.ebx: 21622145 registers.esi: 604277075 registers.ecx: 21632807	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 29 c0 ff 34 30 ff 34 24 ff 34 24 8b 14 24 81 exception.symbol: svzwipnvdb+0xa0e583 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10544515 exception.address: 0x14ae583 registers.esp: 3603388 registers.edi: 19966750 registers.eax: 29166 registers.ebp: 4009992212 registers.edx: 6 registers.ebx: 63472014 registers.esi: 21713377 registers.ecx: 0	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 52 ba c4 39 ff 6f e9 76 01 00 00 89 c3 89 d9 exception.symbol: svzwipnvdb+0xa0e88b exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10545291 exception.address: 0x14ae88b registers.esp: 3603388 registers.edi: 19966750 registers.eax: 4294940804 registers.ebp: 4009992212 registers.edx: 18737495 registers.ebx: 63472014 registers.esi: 21713377 registers.ecx: 0	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 fc fd ff ff 51 55 bd 00 2d e9 5d 81 c5 a7 exception.symbol: svzwipnvdb+0xa14357 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10568535 exception.address: 0x14b4357 registers.esp: 3603376 registers.edi: 21709060 registers.eax: 28384 registers.ebp: 4009992212 registers.edx: 1954545075 registers.ebx: 237122763 registers.esi: 21713377 registers.ecx: 1954545075	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 57 02 00 00 58 8b 1c 24 81 c4 04 00 00 00 exception.symbol: svzwipnvdb+0xa1452e exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10569006 exception.address: 0x14b452e registers.esp: 3603380 registers.edi: 21712036 registers.eax: 0 registers.ebp: 4009992212 registers.edx: 1954545075 registers.ebx: 237122763 registers.esi: 21713377 registers.ecx: 3923872081	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 2e 00 00 00 f7 d8 2d d7 ca a2 8c 01 c6 58 exception.symbol: svzwipnvdb+0xa18e2c exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10587692 exception.address: 0x14b8e2c registers.esp: 3603380 registers.edi: 21712036 registers.eax: 26099 registers.ebp: 4009992212 registers.edx: 21752087 registers.ebx: 220399861 registers.esi: 21713377 registers.ecx: 2186084352	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 53 89 34 24 51 e9 0c 05 00 00 56 e9 d7 04 00 exception.symbol: svzwipnvdb+0xa18748 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10585928 exception.address: 0x14b8748 registers.esp: 3603380 registers.edi: 21712036 registers.eax: 26099 registers.ebp: 4009992212 registers.edx: 21752087 registers.ebx: 84201 registers.esi: 4294944312 registers.ecx: 2186084352	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 83 ed 04 87 2c 24 exception.symbol: svzwipnvdb+0xa362e4 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10707684 exception.address: 0x14d62e4 registers.esp: 3603348 registers.edi: 3058893076 registers.eax: 29296 registers.ebp: 4009992212 registers.edx: 2130566132 registers.ebx: 21876399 registers.esi: 21842997 registers.ecx: 2186084352	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 4d 00 00 00 8f 03 55 c7 04 24 8d 39 5d 1c exception.symbol: svzwipnvdb+0xa36258 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10707544 exception.address: 0x14d6258 registers.esp: 3603348 registers.edi: 3058893076 registers.eax: 29296 registers.ebp: 4009992212 registers.edx: 116969 registers.ebx: 21849935 registers.esi: 0 registers.ecx: 2186084352	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 db fe ff ff 5b 81 c4 04 00 00 00 01 5c 24 exception.symbol: svzwipnvdb+0xa37ab0 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10713776 exception.address: 0x14d7ab0 registers.esp: 3603344 registers.edi: 21852569 registers.eax: 29526 registers.ebp: 4009992212 registers.edx: 116969 registers.ebx: 945699968 registers.esi: 21851292 registers.ecx: 0	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 f7 f2 8f 1c 89 14 24 68 f2 24 ae exception.symbol: svzwipnvdb+0xa37a36 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10713654 exception.address: 0x14d7a36 registers.esp: 3603348 registers.edi: 21855795 registers.eax: 0 registers.ebp: 4009992212 registers.edx: 116969 registers.ebx: 945699968 registers.esi: 604292944 registers.ecx: 0	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 be eb 83 ff 7b e9 exception.symbol: svzwipnvdb+0xa3883d exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10717245 exception.address: 0x14d883d registers.esp: 3603344 registers.edi: 21855795 registers.eax: 29806 registers.ebp: 4009992212 registers.edx: 116969 registers.ebx: 694920598 registers.esi: 604292944 registers.ecx: 21856213	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 57 51 c7 04 24 73 db 7f 14 8b 3c 24 68 76 ce exception.symbol: svzwipnvdb+0xa38058 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10715224 exception.address: 0x14d8058 registers.esp: 3603348 registers.edi: 4294940448 registers.eax: 29806 registers.ebp: 4009992212 registers.edx: 116969 registers.ebx: 3733677664 registers.esi: 604292944 registers.ecx: 21886019	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 41 11 4d 22 89 0c 24 89 14 24 ba 95 93 fb exception.symbol: svzwipnvdb+0xa39bda exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10722266 exception.address: 0x14d9bda registers.esp: 3603348 registers.edi: 21892882 registers.eax: 31549 registers.ebp: 4009992212 registers.edx: 1306868069 registers.ebx: 3733677664 registers.esi: 604292944 registers.ecx: 418516137	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 53 52 68 eb 45 7e 5f ff 34 24 8b 14 24 83 c4 exception.symbol: svzwipnvdb+0xa39b80 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10722176 exception.address: 0x14d9b80 registers.esp: 3603348 registers.edi: 21892882 registers.eax: 4294938788 registers.ebp: 4009992212 registers.edx: 1306868069 registers.ebx: 3733677664 registers.esi: 3649838952 registers.ecx: 418516137	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 40 dd 48 6f 89 2c 24 57 68 d1 21 9b 08 89 exception.symbol: svzwipnvdb+0xa3d6d9 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10737369 exception.address: 0x14dd6d9 registers.esp: 3603348 registers.edi: 3998068486 registers.eax: 21906049 registers.ebp: 4009992212 registers.edx: 1306868069 registers.ebx: 4014862246 registers.esi: 3386545952 registers.ecx: 1328742661	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 57 68 d9 02 f3 17 e9 2d ff ff ff 58 5b c1 e0 exception.symbol: svzwipnvdb+0xa3d398 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10736536 exception.address: 0x14dd398 registers.esp: 3603348 registers.edi: 937467277 registers.eax: 21879461 registers.ebp: 4009992212 registers.edx: 0 registers.ebx: 4014862246 registers.esi: 3386545952 registers.ecx: 1328742661	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 53 e9 d1 00 00 00 89 e7 81 c7 exception.symbol: svzwipnvdb+0xa42085 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10756229 exception.address: 0x14e2085 registers.esp: 3603348 registers.edi: 937467277 registers.eax: 32302 registers.ebp: 4009992212 registers.edx: 0 registers.ebx: 65798 registers.esi: 3386545952 registers.ecx: 21927126	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 52 89 3c 24 c7 04 24 d4 72 68 7f 81 24 24 64 exception.symbol: svzwipnvdb+0xa419f7 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10754551 exception.address: 0x14e19f7 registers.esp: 3603348 registers.edi: 4294937984 registers.eax: 32302 registers.ebp: 4009992212 registers.edx: 0 registers.ebx: 100585 registers.esi: 3386545952 registers.ecx: 21927126	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 df 26 17 27 89 34 24 50 b8 41 d9 ff 56 e9 exception.symbol: svzwipnvdb+0xa44a1e exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10766878 exception.address: 0x14e4a1e registers.esp: 3603348 registers.edi: 21910119 registers.eax: 28938 registers.ebp: 4009992212 registers.edx: 16312663 registers.ebx: 751240335 registers.esi: 0 registers.ecx: 2602745959	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 51 b9 ab b3 b6 1e 81 c1 d3 ed ff 5c 81 f1 b7 exception.symbol: svzwipnvdb+0xa45dab exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10771883 exception.address: 0x14e5dab registers.esp: 3603344 registers.edi: 21910119 registers.eax: 28930 registers.ebp: 4009992212 registers.edx: 1974941843 registers.ebx: 751240335 registers.esi: 21910509 registers.ecx: 1495617883	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 0e ff 34 24 e9 84 01 00 00 8b 04 exception.symbol: svzwipnvdb+0xa4546b exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10769515 exception.address: 0x14e546b registers.esp: 3603348 registers.edi: 21910119 registers.eax: 28930 registers.ebp: 4009992212 registers.edx: 1974941843 registers.ebx: 751240335 registers.esi: 21939439 registers.ecx: 1495617883	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 55 51 e9 21 06 00 00 50 52 ba 22 d6 ef 7f 81 exception.symbol: svzwipnvdb+0xa456c0 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10770112 exception.address: 0x14e56c0 registers.esp: 3603348 registers.edi: 81129 registers.eax: 28930 registers.ebp: 4009992212 registers.edx: 1974941843 registers.ebx: 751240335 registers.esi: 21939439 registers.ecx: 4294941044	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 c7 04 24 00 35 fc 77 81 2c exception.symbol: svzwipnvdb+0xa58d19 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10849561 exception.address: 0x14f8d19 registers.esp: 3603348 registers.edi: 2186084352 registers.eax: 26848 registers.ebp: 4009992212 registers.edx: 21779439 registers.ebx: 21971926 registers.esi: 3784968 registers.ecx: 22016023	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 ec aa b0 07 89 2c 24 e9 1e 00 00 00 b8 1d exception.symbol: svzwipnvdb+0xa59214 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10850836 exception.address: 0x14f9214 registers.esp: 3603348 registers.edi: 3803861584 registers.eax: 26848 registers.ebp: 4009992212 registers.edx: 21779439 registers.ebx: 21971926 registers.esi: 4294943588 registers.ecx: 22016023	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 53 bb 77 3f bb 4f 83 ec 04 89 14 24 83 ec 04 exception.symbol: svzwipnvdb+0xa5dde9 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10870249 exception.address: 0x14fdde9 registers.esp: 3603344 registers.edi: 3803861584 registers.eax: 29032 registers.ebp: 4009992212 registers.edx: 22010031 registers.ebx: 201334806 registers.esi: 3824494270 registers.ecx: 237874135	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 e9 b8 fd ff ff 05 f0 de c6 exception.symbol: svzwipnvdb+0xa5db3d exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10869565 exception.address: 0x14fdb3d registers.esp: 3603348 registers.edi: 3803861584 registers.eax: 29032 registers.ebp: 4009992212 registers.edx: 22039063 registers.ebx: 201334806 registers.esi: 3824494270 registers.ecx: 237874135	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 57 e9 79 00 00 00 81 ed 51 03 7a f2 01 ee ff exception.symbol: svzwipnvdb+0xa5da65 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10869349 exception.address: 0x14fda65 registers.esp: 3603348 registers.edi: 3803861584 registers.eax: 29032 registers.ebp: 4009992212 registers.edx: 22013023 registers.ebx: 0 registers.esi: 605849943 registers.ecx: 237874135	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 81 ea c2 17 5d 6f 81 c2 b3 1a ff 7b 56 be 87 exception.symbol: svzwipnvdb+0xa6b95a exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10926426 exception.address: 0x150b95a registers.esp: 3603344 registers.edi: 3998469141 registers.eax: 31151 registers.ebp: 4009992212 registers.edx: 22064739 registers.ebx: 4015255413 registers.esi: 44062179 registers.ecx: 2152629092	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 31 c9 e9 ed 03 00 00 87 14 24 5c e9 18 02 00 exception.symbol: svzwipnvdb+0xa6b119 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10924313 exception.address: 0x150b119 registers.esp: 3603348 registers.edi: 3998469141 registers.eax: 31151 registers.ebp: 4009992212 registers.edx: 22095890 registers.ebx: 4015255413 registers.esi: 44062179 registers.ecx: 2152629092	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 cc a5 a2 5c e9 00 fb ff ff 5e 89 exception.symbol: svzwipnvdb+0xa6b69c exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10925724 exception.address: 0x150b69c registers.esp: 3603348 registers.edi: 3998469141 registers.eax: 31151 registers.ebp: 4009992212 registers.edx: 22095890 registers.ebx: 322689 registers.esi: 44062179 registers.ecx: 4294939364	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 53 bb e1 71 7f 7d 4b f7 d3 81 c3 2d be 7b d8 exception.symbol: svzwipnvdb+0xa6f863 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10942563 exception.address: 0x150f863 registers.esp: 3603344 registers.edi: 3998469141 registers.eax: 22080277 registers.ebp: 4009992212 registers.edx: 2130566132 registers.ebx: 265759146 registers.esi: 44062179 registers.ecx: 2186084352	1
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: fb 68 34 13 c4 2c 89 0c 24 e9 e2 05 00 00 89 e5 exception.symbol: svzwipnvdb+0xa6ef18 exception.instruction: sti exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10940184 exception.address: 0x150ef18 registers.esp: 3603348 registers.edi: 3998469141 registers.eax: 22083981 registers.ebp: 4009992212 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 44062179 registers.ecx: 31320403	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://checkip.dyndns.org/

Connects to a Dynamic DNS Domain (1 event)

domain

checkip.dyndns.org

Performs some HTTP requests (1 event)

request

GET http://checkip.dyndns.org/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 80 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc0f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdddd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007356d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb70c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb6db000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd0cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 6676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb6bd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 172032 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:33 a.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

svzwipnvdb.exe tried to sleep 1034 seconds, actually delayed analysis time by 1034 seconds

Foreign language identified in PE resource (5 events)

name

FILE

language

LANG_KOREAN

filetype

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_KOREAN

offset

0x00a65fd4

size

0x002eb000

name

FILE

language

LANG_KOREAN

filetype

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_KOREAN

offset

0x00a65fd4

size

0x002eb000

name

FILE

language

LANG_KOREAN

filetype

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_KOREAN

offset

0x00a65fd4

size

0x002eb000

name

FILE

language

LANG_KOREAN

filetype

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_KOREAN

offset

0x00a65fd4

size

0x002eb000

name

RT_VERSION

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00d50fd4

size

0x0000033c

Looks up the external IP address (1 event)

domain

checkip.dyndns.org

Creates executable files on the filesystem (5 events)

file	C:\Windows\pshrjkgk\svzwipnvdb.exe
file	C:\Windows\System32\hpis.dll
file	C:\Windows\System32\hpim.dll
file	C:\Windows\PLA\userfsp.exe
file	C:\Users\test22\AppData\Local\Temp\mokill.bat

Creates hidden or system file (5 events)

Time & API	Arguments	Status	Return
SetFileAttributesW June 25, 2021, 11:32 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\pshrjkgk filepath: C:\Windows\pshrjkgk	1	1
SetFileAttributesW June 25, 2021, 11:33 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\Fonts.Lists filepath: C:\Windows\Fonts.Lists	1	1
SetFileAttributesW June 25, 2021, 11:33 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\pshrjkgk\conf.ini filepath: C:\Windows\pshrjkgk\conf.ini	1	1
SetFileAttributesW June 25, 2021, 11:33 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\pshrjkgk\conf.ini filepath: C:\Windows\pshrjkgk\conf.ini	1	1
SetFileAttributesW June 25, 2021, 11:33 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\PLA filepath: C:\Windows\PLA	1	1

Creates a suspicious process (3 events)

cmdline	C:\Windows\System32\cmd.exe /c "C:\Windows\pshrjkgk\svzwipnvdb.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Windows\pshrjkgk\svzwipnvdb.exe"
cmdline	C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe"

A process created a hidden window (16 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 25, 2021, 11:33 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c "C:\Windows\pshrjkgk\svzwipnvdb.exe" filepath: C:\Windows\System32\cmd.exe	1	1
CreateProcessInternalW June 25, 2021, 11:33 a.m.	thread_identifier: 8800 thread_handle: 0x00000000000001e4 process_identifier: 6676 current_directory: C:\Windows\system32 filepath: track: 1 command_line: msiexec /x {6444D213-9395-442A-A7D8-EAFEA7948BA7} /qn filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000001e0	1	1
ShellExecuteExW June 25, 2021, 11:33 a.m.	show_type: 0 filepath_r: mokill.bat parameters: filepath: mokill.bat	1	1
CreateProcessInternalW June 25, 2021, 11:33 a.m.	thread_identifier: 4368 thread_handle: 0x00000360 process_identifier: 5752 current_directory: C:\Windows\system32 filepath: track: 1 command_line: net stop windefend filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW June 25, 2021, 11:33 a.m.	thread_identifier: 9024 thread_handle: 0x000003a0 process_identifier: 3724 current_directory: C:\Windows\system32 filepath: track: 1 command_line: sc stop WinDefend filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003b4	1	1
CreateProcessInternalW June 25, 2021, 11:33 a.m.	thread_identifier: 1036 thread_handle: 0x000003b0 process_identifier: 7076 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003dc	1	1
CreateProcessInternalW June 25, 2021, 11:33 a.m.	thread_identifier: 6612 thread_handle: 0x000003c8 process_identifier: 6304 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003e8	1	1
CreateProcessInternalW June 25, 2021, 11:33 a.m.	thread_identifier: 3716 thread_handle: 0x000003f4 process_identifier: 6660 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003f0	1	1
CreateProcessInternalW June 25, 2021, 11:33 a.m.	thread_identifier: 4640 thread_handle: 0x000003f8 process_identifier: 4828 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003fc	1	1
CreateProcessInternalW June 25, 2021, 11:33 a.m.	thread_identifier: 4288 thread_handle: 0x00000404 process_identifier: 6344 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000408	1	1
CreateProcessInternalW June 25, 2021, 11:34 a.m.	thread_identifier: 8272 thread_handle: 0x0000040c process_identifier: 8044 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000410	1	1
CreateProcessInternalW June 25, 2021, 11:34 a.m.	thread_identifier: 2264 thread_handle: 0x00000300 process_identifier: 3824 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000338	1	1
CreateProcessInternalW June 25, 2021, 11:34 a.m.	thread_identifier: 6556 thread_handle: 0x00000320 process_identifier: 6508 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003c0	1	1
CreateProcessInternalW June 25, 2021, 11:34 a.m.	thread_identifier: 3808 thread_handle: 0x000003d8 process_identifier: 8436 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000324	1	1
CreateProcessInternalW June 25, 2021, 11:34 a.m.	thread_identifier: 4124 thread_handle: 0x00000414 process_identifier: 7856 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW June 25, 2021, 11:34 a.m.	thread_identifier: 2036 thread_handle: 0x00000418 process_identifier: 6548 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userfsp.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000041c	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (32 events)

Time & API	Arguments	Status	Return
Process32NextW June 25, 2021, 11:32 a.m.	snapshot_handle: 0x00000000000000b4 process_name: taskhost.exe process_identifier: 6840	1	1
Process32NextW June 25, 2021, 11:32 a.m.	snapshot_handle: 0x00000000000000b4 process_name: cmd.exe process_identifier: 8652	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x0000000000000128 process_name: slui.exe process_identifier: 8708	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x0000000000000128 process_name: cmd.exe process_identifier: 4636	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x0000000000000128 process_name: conhost.exe process_identifier: 8728	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x0000000000000128 process_name: msiexec.exe process_identifier: 6676	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000374 process_name: svzwipnvdb.exe process_identifier: 8620	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000374 process_name: msiexec.exe process_identifier: 4452	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: conhost.exe process_identifier: 7912	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: userfsp.exe process_identifier: 4376	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003f0 process_name: svchost.exe process_identifier: 3456	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003c8 process_name: cmd.exe process_identifier: 7908	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: cmd.exe process_identifier: 7184	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: conhost.exe process_identifier: 6460	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003f4 process_name: cmd.exe process_identifier: 1904	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003f4 process_name: pw.exe process_identifier: 7056	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003fc process_name: cmd.exe process_identifier: 7496	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003fc process_name: conhost.exe process_identifier: 3448	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003fc process_name: pw.exe process_identifier: 7280	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000404 process_name: cmd.exe process_identifier: 5476	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000404 process_name: pw.exe process_identifier: 8380	1	1
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000410 process_name: conhost.exe process_identifier: 7452	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000300 process_name: cmd.exe process_identifier: 8404	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000300 process_name: pw.exe process_identifier: 6312	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 4464	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000320 process_name: conhost.exe process_identifier: 4724	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000320 process_name: pw.exe process_identifier: 5052	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000324 process_name: pw.exe process_identifier: 6592	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x000003d0 process_name: conhost.exe process_identifier: 6024	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000414 process_name: pw.exe process_identifier: 6220	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x0000041c process_name: conhost.exe process_identifier: 5840	1	1
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x0000041c process_name: pw.exe process_identifier: 7508	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00cf7600', u'virtual_address': u'0x0005a000', u'entropy': 7.470127032695355, u'name': u'.rsrc', u'virtual_size': u'0x00cf7478'}

entropy

7.4701270327

description

A section with a high entropy has been found

entropy

0.97306705753

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 11:33 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (28 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 25, 2021, 11:32 a.m.	snapshot_handle: 0x00000000000000b4 process_name: pcad164.exe process_identifier: 2616		0	0
Process32NextW June 25, 2021, 11:32 a.m.	snapshot_handle: 0x00000000000000b4 process_name: pcad164.exe process_identifier: 2616		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x0000000000000128 process_name: msiexec.exe process_identifier: 6676		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x0000000000000128 process_name: msiexec.exe process_identifier: 6676		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000374 process_name: msiexec.exe process_identifier: 4452		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000374 process_name: msiexec.exe process_identifier: 4452		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: userfsp.exe process_identifier: 4376		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003c8 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 7312		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: pw.exe process_identifier: 7312		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 7312		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003c8 process_name: pw.exe process_identifier: 7312		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: conhost.exe process_identifier: 6460		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: conhost.exe process_identifier: 6460		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003e8 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003c8 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003c8 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003f4 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x000003fc process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000408 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:33 a.m.	snapshot_handle: 0x00000410 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000418 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000414 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000418 process_name: svchost.exe process_identifier: 3456		0	0
Process32NextW June 25, 2021, 11:34 a.m.	snapshot_handle: 0x00000424 process_name: svchost.exe process_identifier: 3456		0	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (50 out of 202 events)

Time & API	Arguments	Status	Return
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 7076 process_handle: 0x000003e8		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 7076 process_handle: 0x000003e8	1	0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f0		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6304 process_handle: 0x000003f4		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003f8		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003f8		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003f8		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003f8		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003fc		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003f8		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003f8		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003f8		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 6660 process_handle: 0x000003f8		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 4828 process_handle: 0x00000408		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 4828 process_handle: 0x00000408		3221225738
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 4828 process_handle: 0x00000404		0
NtTerminateProcess June 25, 2021, 11:33 a.m.	status_code: 0x00000000 process_identifier: 4828 process_handle: 0x00000404		3221225738

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	sc stop WinDefend
cmdline	net stop windefend

Communicates with host for which no DNS query was performed (2 events)

host	13.209.83.196
host	172.217.25.14

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService June 25, 2021, 11:33 a.m.	service_handle: 0x0026bb50 service_name: WinDefend control_code: 1		0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 168 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 25, 2021, 11:33 a.m.	class_name: GBDYLLO window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fsp

reg_value

C:\Windows\pshrjkgk\svzwipnvdb.exe

Attempts to modify browser security settings (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9

Deletes executed files from disk (1 event)

file	C:\Windows\PLA\userfsp.exe

Drops a binary and executes it (2 events)

file	C:\Windows\pshrjkgk\svzwipnvdb.exe
file	C:\Windows\PLA\userfsp.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2616 resumed a thread in remote process 4636
NtResumeThread June 25, 2021, 11:33 a.m.	thread_handle: 0x000000000000023c suspend_count: 1 process_identifier: 4636	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 25, 2021, 11:33 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 55 89 04 24 89 34 24 51 exception.symbol: svzwipnvdb+0x9f82e0 exception.instruction: in eax, dx exception.module: svzwipnvdb.exe exception.exception_code: 0xc0000096 exception.offset: 10453728 exception.address: 0x14982e0 registers.esp: 3603380 registers.edi: 6369770 registers.eax: 1447909480 registers.ebp: 4009992212 registers.edx: 22104 registers.ebx: 1970540725 registers.esi: 21581632 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

Disables Windows Security features (3 events)

description	attempts to disable user access control	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37125623
FireEye	Generic.mg.438e38292895c8ea
CAT-QuickHeal	Trojan.Krserv
McAfee	Artemis!438E38292895
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Trojan ( 0053709f1 )
BitDefender	Trojan.GenericKD.37125623
K7GW	Trojan ( 0053709f1 )
Cybereason	malicious.2511a5
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/JackServn.I
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.KrServ.avp
Alibaba	Trojan:Win32/KrServ.a3bd6445
NANO-Antivirus	Trojan.Win32.JackServn.isojtt
Tencent	Win32.Trojan.Generic.Pbzi
Ad-Aware	Trojan.GenericKD.37125623
Emsisoft	Trojan.GenericKD.37125623 (B)
DrWeb	Trojan.Siggen13.57237
Zillya	Trojan.KrServ.Win32.247
TrendMicro	TROJ_GEN.R002C0WFI21
Sophos	Mal/Generic-S
Jiangmin	Trojan.KrServ.an
MaxSecure	Trojan.Malware.115878666.susgen
Avira	TR/JackServn.ihgqr
Antiy-AVL	Trojan/Generic.ASMalwS.26C668F
Microsoft	Trojan:Win32/Ymacco.AA70
Gridinsoft	Adware.Win64.Downloader.dd!n
Arcabit	Trojan.Generic.D2C5C460
GData	Trojan.GenericKD.37125623
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win64.KrServ.C2881380
BitDefenderTheta	Gen:NN.ZedlaF.34758.6w4@aCnq@MfO
ALYac	Trojan.GenericKD.46515296
MAX	malware (ai score=80)
Malwarebytes	Malware.AI.4087922449
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0WFI21
Rising	Trojan.Generic@ML.99 (RDMK:GE0fi5lPQghf2R32bpExDA)
Yandex	Trojan.JackServn!HaqZpU9I2PU
Ikarus	Trojan.Win32.Jackservn
Fortinet	W64/JackServn.I!tr
AVG	Win32:Trojan-gen
Avast	Win32:Trojan-gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.102:49807
dead_host	13.209.83.196:55004

pcad164.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All