Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 15, 2021, 12:29 p.m.	Aug. 15, 2021, 12:56 p.m.

Size	923.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aa587896aed2ffa708a0d2f636856034`
SHA256	`cb1e959421818bfd984d74595d0b5df2c2b709ea1c14881a30838ae4ed2a0d5f`
CRC32	`1390945C`
ssdeep	`24576:mSLXbC4FylKrdLLkB59d12GUBeHKANy4onenuqds1kXx+:VrylKpoBxjUBP2S6uqGmh+`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

flx11.exe "C:\Users\test22\AppData\Local\Temp\flx11.exe"
2648
- dllhost.exe "C:\Windows\System32\dllhost.exe"
  2076
- cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Per.mdb
  2256
  - cmd.exe cmd
    1296
    - findstr.exe findstr /V /R "^ZHOJmZdMpJQvRMzCBqksNzVigmIPegogVyRZYHxxrBVgqJwHVDOKiYUGLHxZsAJVABAMVzEUFQgjbHuFnwTnAniWllgdjxrCRqOnogLBZUtdKHorAPBdGlcwxECKyh$" Improvvisa.mdb
      1812
    - Esistenza.exe.com Esistenza.exe.com f
      2092
      - Esistenza.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Esistenza.exe.com f
        1828
        
        RegAsm.exe C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        872
    - PING.EXE ping localhost -n 30
      3020

Name	Response	Post-Analysis Lookup
VPrAjMzBgeCDinSrfmTNzX.VPrAjMzBgeCDinSrfmTNzX
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31

IP Address	Status	Action
104.26.13.31	Active	Moloch
164.124.101.2	Active	Moloch
193.188.22.4	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49214 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.188.22.4:45689 -> 192.168.56.101:49213	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49214 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 15, 2021, 12:54 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 15, 2021, 12:29 p.m.			0	0
IsDebuggerPresent Aug. 15, 2021, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 15, 2021, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 15, 2021, 12:54 p.m.			0	0
IsDebuggerPresent Aug. 15, 2021, 12:54 p.m.			0	0

Command line console output was observed (50 out of 89 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Set lhjGllNlOsRUDecPjujtO=DESKTOP- console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Set KbznwaZedHxUfnBcLl=QO5QU33 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Set OAYLRdeSpfFiVCcOMxVMuuUsOxxHiqsWsrWheIy=ping localhost -n console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: if %computername%==%lhjGllNlOsRUDecPjujtO% OAYLRdeSpfFiVCcOMxVMuuUsOxxHiqsWsrWheIy 300 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: Set UkCOJJzefkHrEblAkOCkABLYjZ=MZ console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: <nul set /p = "%UkCOJJzefkHrEblAkOCkABLYjZ%" > Esistenza.exe.com console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: findstr /V /R "^ZHOJmZdMpJQvRMzCBqksNzVigmIPegogVyRZYHxxrBVgqJwHVDOKiYUGLHxZsAJVABAMVzEUFQgjbHuFnwTnAniWllgdjxrCRqOnogLBZUtdKHorAPBdGlcwxECKyh$" Improvvisa.mdb >> Esistenza.exe.com" console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: copy Tele.mdb f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: start Esistenza.exe.com f console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: %OAYLRdeSpfFiVCcOMxVMuuUsOxxHiqsWsrWheIy% 30 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 15, 2021, 12:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Pinging test22-PC [::1] console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 15, 2021, 12:30 p.m.	buffer: Reply from ::1: console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00745510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00745510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00745550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007be620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007be620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007be4e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007be560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007bea20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 15, 2021, 12:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007bea20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 15, 2021, 12:29 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (13 events)

Time & API	Arguments	Status
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8aa07 0xb8a949 0xb8a67a 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468568 registers.edi: 47389960 registers.eax: 0 registers.ebp: 3468612 registers.edx: 89795828 registers.ebx: 47389764 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8aa07 0xb8a949 0xb8a67a 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468568 registers.edi: 48355656 registers.eax: 0 registers.ebp: 3468612 registers.edx: 89795828 registers.ebx: 48355460 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8aa07 0xb8a949 0xb8a67a 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468568 registers.edi: 49307672 registers.eax: 0 registers.ebp: 3468612 registers.edx: 89795828 registers.ebx: 49307476 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8c536 0xb8c489 0xb8a6ef 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468560 registers.edi: 46045200 registers.eax: 0 registers.ebp: 3468604 registers.edx: 89795828 registers.ebx: 46045004 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8c536 0xb8c489 0xb8a6ef 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468560 registers.edi: 47008620 registers.eax: 0 registers.ebp: 3468604 registers.edx: 89795828 registers.ebx: 47008424 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8c536 0xb8c489 0xb8a6ef 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468560 registers.edi: 47972040 registers.eax: 0 registers.ebp: 3468604 registers.edx: 89795828 registers.ebx: 47971844 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8ca97 0xb8c9e9 0xb8a764 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468564 registers.edi: 48935552 registers.eax: 0 registers.ebp: 3468608 registers.edx: 89795828 registers.ebx: 48935356 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8ca97 0xb8c9e9 0xb8a764 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468564 registers.edi: 49986940 registers.eax: 0 registers.ebp: 3468608 registers.edx: 89795828 registers.ebx: 49986744 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8ca97 0xb8c9e9 0xb8a764 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468564 registers.edi: 51003048 registers.eax: 0 registers.ebp: 3468608 registers.edx: 89795828 registers.ebx: 51002852 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8ced9 0xb8ce29 0xb8a7d5 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468560 registers.edi: 45784720 registers.eax: 0 registers.ebp: 3468604 registers.edx: 89795828 registers.ebx: 45784524 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8ced9 0xb8ce29 0xb8a7d5 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468560 registers.edi: 46802948 registers.eax: 0 registers.ebp: 3468604 registers.edx: 89795828 registers.ebx: 46802752 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8ced9 0xb8ce29 0xb8a7d5 0xb8a13f 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8ada3 registers.esp: 3468560 registers.edi: 47821176 registers.eax: 0 registers.ebp: 3468604 registers.edx: 89795828 registers.ebx: 47820980 registers.esi: 0 registers.ecx: 89796352	1
__exception__ Aug. 15, 2021, 12:54 p.m.	stacktrace: 0xb8e58a 0xb8e50c 0xb81982 0xb8085c 0xb80070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fc12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fc2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fc22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fcd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fcd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fd61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fd61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fd61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fd6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7251f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72807f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72804de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb8e619 registers.esp: 3468780 registers.edi: 45543912 registers.eax: 0 registers.ebp: 3468804 registers.edx: 7427104 registers.ebx: 44180316 registers.esi: 45544092 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.ip.sb/geoip

Performs some HTTP requests (1 event)

request

GET https://api.ip.sb/geoip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 91 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 15, 2021, 12:29 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 2092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 1828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 1828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:30 p.m.	process_identifier: 1828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72582000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70252000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724fb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7242a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720ff000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72001000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c0c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72901000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 15, 2021, 12:54 p.m.	process_identifier: 872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04adf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 15, 2021, 12:29 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13724430336 root_path: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\RXcpOnxIfB\DYjLlSaswfLPI.js
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Esistenza.exe.com
file	C:\Users\test22\AppData\Roaming\RXcpOnxIfB\fgKraRLUzx.exe.com

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c cmd < Per.mdb

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Esistenza.exe.com

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Esistenza.exe.com
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 15, 2021, 12:30 p.m.	show_type: 0 filepath_r: cmd parameters: /c cmd < Per.mdb filepath: cmd	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 15, 2021, 12:54 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 15, 2021, 12:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (32 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Hijack network configuration	rule	Hijack_Network
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000026c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: AddressBook base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: Connection Manager base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: DirectDrawEx base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: EditPlus base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: ENTERPRISE base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: Fontcore base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: Google Chrome base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: IE40 base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: IE4Data base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: IE5BAKEX base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: IEData base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: MobileOptionPack base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: SchedulingAgent base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: WIC base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Aug. 15, 2021, 12:54 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x0000026c key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping localhost -n 30

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

193.188.22.4

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgKraRLUzx.url

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Aug. 15, 2021, 12:54 p.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1296 resumed a thread in remote process 2092
NtResumeThread Aug. 15, 2021, 12:30 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2092	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Lionic	Trojan.Win32.Agent.m!c
DrWeb	Trojan.Siggen14.60354
MicroWorld-eScan	Trojan.GenericKD.46789609
FireEye	Trojan.GenericKD.46789609
McAfee	RDN/Generic.grp
Cylance	Unsafe
Sangfor	Backdoor.Win32.Agent.myucxh
K7AntiVirus	Trojan ( 0057fe8c1 )
Alibaba	Backdoor:Win32/Generic.4e6d3cfc
K7GW	Trojan ( 0057fe8c1 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	BAT/Agent.PAU
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Backdoor.Win32.Agent.myucxh
BitDefender	Trojan.GenericKD.46789609
Avast	Win32:Trojan-gen
Tencent	Malware.Win32.Gencirc.10ce9e14
Ad-Aware	Trojan.GenericKD.46789609
Sophos	Mal/Generic-S
Zillya	Backdoor.Agent.Win32.80898
TrendMicro	TrojanSpy.Win32.ZYX.USMANHD21
McAfee-GW-Edition	BehavesLike.Win32.Jeefo.dc
Emsisoft	Trojan.GenericKD.46789609 (B)
Jiangmin	Trojan.Alien.kc
Webroot	W32.Trojan.Gen
Avira	BAT/Agent.qnsyh
Kingsoft	Win32.Hack.Agent.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa!s1
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan.Agent.D5CXY4
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4576377
TrendMicro-HouseCall	TrojanSpy.Win32.ZYX.USMANHD21
MAX	malware (ai score=88)
Fortinet	W32/Agent.MYUCXH!tr.bdr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
Qihoo-360	Win32/Heur.Generic.HyoDueAA

flx11.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All