Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 18, 2021, 6:31 p.m.	Aug. 18, 2021, 6:40 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1637661fced5903b3db6ad8f4633a729`
SHA256	`634206b8256faa12b0664ad3b1fb101d26d884d761688193fee177ce8ed48723`
CRC32	`F7FB973D`
ssdeep	`24576:rSLXjRGOsO3AhBe1Qnh0aZP000Ibavym04b+Jimrn+0MwduFMMh9I/T6:EzRGOsO3AhBe1zaN00qy7HQmrn+lrFy6`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) NPKI_Zero - File included NPKI

Straight.exe "C:\Users\test22\AppData\Local\Temp\Straight.exe"
2948
- dllhost.exe "C:\Windows\System32\dllhost.exe"
  872
- cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Smarrito.potx
  2800
  - cmd.exe cmd
    2164
    - findstr.exe findstr /V /R "^EEooMPoWPFfAikdlGlnQpNsfZEiuPvmTPikfoSRsEVXYToUUEvmliuLQjSpiHeiaycKZqweOaujhQzvRJhCaWgLJvcefIJJCNESbbVUDxLSwUbZTvsbxmOvQJwDEYMyIvKmkBYxOzZYkvK$" Ricordate.potx
      2672
    - Infinita.exe.com Infinita.exe.com w
      2092
      - Infinita.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com w
        1436
        
        RegAsm.exe C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        2564
    - PING.EXE ping TEST22-PC -n 30
      2412

Name	Response	Post-Analysis Lookup
FpElXOanXJqAQlxZjEpQUO.FpElXOanXJqAQlxZjEpQUO
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.75.172	Active	Moloch
2.56.59.35	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49216 -> 172.67.75.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 2.56.59.35:43636 -> 192.168.56.101:49214	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49216 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:32 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2021, 6:31 p.m.			0	0
IsDebuggerPresent Aug. 18, 2021, 6:31 p.m.			0	0
IsDebuggerPresent Aug. 18, 2021, 6:31 p.m.			0	0
IsDebuggerPresent Aug. 18, 2021, 6:31 p.m.			0	0
IsDebuggerPresent Aug. 18, 2021, 6:31 p.m.			0	0

Command line console output was observed (50 out of 89 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Set HrwuarULhzhraaXPlyZyWPUadFoLKtEuB=DESKTOP- console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Set AoHOeRgCEiD=QO5QU33 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Set KDiLuLDGkEJzkYZCc=ping %computername% -n console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: if %computername%==%HrwuarULhzhraaXPlyZyWPUadFoLKtEuB% %KDiLuLDGkEJzkYZCc% 300 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Set IwuUGucFX=MZ console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: <nul set /p = "%IwuUGucFX%" > Infinita.exe.com console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: findstr /V /R "^EEooMPoWPFfAikdlGlnQpNsfZEiuPvmTPikfoSRsEVXYToUUEvmliuLQjSpiHeiaycKZqweOaujhQzvRJhCaWgLJvcefIJJCNESbbVUDxLSwUbZTvsbxmOvQJwDEYMyIvKmkBYxOzZYkvK$" Ricordate.potx >> Infinita.exe.com" console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: copy Felicita.potx w console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: start Infinita.exe.com w console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: %KDiLuLDGkEJzkYZCc% 30 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000> console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Pinging test22-PC [fe80::4cc:7185:d814:e56e%11] console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Aug. 18, 2021, 6:31 p.m.	buffer: Reply from fe80::4cc:7185:d814:e56e%11: console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00639138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00639138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00639178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05c58ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05c58ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05c58ba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05c58fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05c58ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05c58ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2021, 6:31 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (13 events)

Time & API	Arguments	Status
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9f8907 0x9f8849 0x9f8572 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288440 registers.edi: 46944288 registers.eax: 0 registers.ebp: 2288484 registers.edx: 11447156 registers.ebx: 46944092 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9f8907 0x9f8849 0x9f8572 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288440 registers.edi: 47909984 registers.eax: 0 registers.ebp: 2288484 registers.edx: 11447156 registers.ebx: 47909788 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9f8907 0x9f8849 0x9f8572 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288440 registers.edi: 48861980 registers.eax: 0 registers.ebp: 2288484 registers.edx: 11447156 registers.ebx: 48861784 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fa636 0x9fa589 0x9f85e7 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288432 registers.edi: 45669308 registers.eax: 0 registers.ebp: 2288476 registers.edx: 11447156 registers.ebx: 45669112 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fa636 0x9fa589 0x9f85e7 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288432 registers.edi: 46632708 registers.eax: 0 registers.ebp: 2288476 registers.edx: 11447156 registers.ebx: 46632512 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fa636 0x9fa589 0x9f85e7 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288432 registers.edi: 45679132 registers.eax: 0 registers.ebp: 2288476 registers.edx: 11447156 registers.ebx: 45678936 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fab97 0x9faae9 0x9f865c 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288436 registers.edi: 46642624 registers.eax: 0 registers.ebp: 2288480 registers.edx: 11447156 registers.ebx: 46642428 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fab97 0x9faae9 0x9f865c 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288436 registers.edi: 47658712 registers.eax: 0 registers.ebp: 2288480 registers.edx: 11447156 registers.ebx: 47658516 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fab97 0x9faae9 0x9f865c 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288436 registers.edi: 48674800 registers.eax: 0 registers.ebp: 2288480 registers.edx: 11447156 registers.ebx: 48674604 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fafd9 0x9faf29 0x9f86cd 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288432 registers.edi: 49691084 registers.eax: 0 registers.ebp: 2288476 registers.edx: 11447156 registers.ebx: 49690888 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fafd9 0x9faf29 0x9f86cd 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288432 registers.edi: 45734164 registers.eax: 0 registers.ebp: 2288476 registers.edx: 11447156 registers.ebx: 45733968 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fafd9 0x9faf29 0x9f86cd 0x9f8027 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9f8ca3 registers.esp: 2288432 registers.edi: 46752372 registers.eax: 0 registers.ebp: 2288476 registers.edx: 11447156 registers.ebx: 46752176 registers.esi: 0 registers.ecx: 11447680	1
__exception__ Aug. 18, 2021, 6:32 p.m.	stacktrace: 0x9fce52 0x9fcdd4 0x9f1982 0x9f085c 0x9f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fd2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71fe264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71fe2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720974ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72097610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72121dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72121e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72121f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7212416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7375f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x9fcee1 registers.esp: 2288652 registers.edi: 48627996 registers.eax: 0 registers.ebp: 2288676 registers.edx: 6310816 registers.ebx: 44770132 registers.esi: 48628176 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.ip.sb/geoip

Performs some HTTP requests (1 event)

request

GET https://api.ip.sb/geoip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 90 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74242000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74242000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74242000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72612000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70beb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00805000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00807000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7374a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7427f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74081000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74071000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04eff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 18, 2021, 6:31 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13725429760 root_path: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c cmd < Smarrito.potx

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 18, 2021, 6:31 p.m.	show_type: 0 filepath_r: cmd parameters: /c cmd < Smarrito.potx filepath: cmd	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 18, 2021, 6:31 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 18, 2021, 6:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (32 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Hijack network configuration	rule	Hijack_Network
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: AddressBook base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: Connection Manager base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: DirectDrawEx base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: EditPlus base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: ENTERPRISE base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: Fontcore base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: Google Chrome base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: IE40 base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: IE4Data base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: IE5BAKEX base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: IEData base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: MobileOptionPack base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: SchedulingAgent base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: WIC base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Aug. 18, 2021, 6:32 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000003f0 key_handle: 0x000002c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping TEST22-PC -n 30

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 1057b3bfaf9291901779359be87cc91b936f2100

Communicates with host for which no DNS query was performed (1 event)

host

2.56.59.35

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 122880 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 process_handle: 0x00000214	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 18, 2021, 6:31 p.m.	buffer: ÿÿÿÿû~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 2564 process_handle: 0x00000214	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:32 p.m.	key_handle: 0x000002c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1436 called NtSetContextThread to modify thread in remote process 2564
NtSetContextThread Aug. 18, 2021, 6:31 p.m.	registers.eip: 2000355780 registers.esp: 2291904 registers.edi: 0 registers.eax: 1150830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000020c process_identifier: 2564	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2164 resumed a thread in remote process 2092
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2092	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.Win32.Agent.m!c
Elastic	malicious (high confidence)
McAfee	Artemis!1637661FCED5
Cylance	Unsafe
Zillya	Backdoor.Agent.Win32.80898
Sangfor	Riskware.Win32.Agent.ky
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Generik.KIMYJJY
Avast	FileRepMalware
Kaspersky	Backdoor.Win32.Agent.myuczx
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Sophos	Mal/Generic-R
Paloalto	generic.ml
Jiangmin	Trojan.Alien.kc
Webroot	W32.Trojan.Gen
Gridinsoft	Trojan.Win32.Agent.oa!s1
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	Backdoor.Win32.Agent.myuczx
Cynet	Malicious (score: 100)
VBA32	Backdoor.Agent
Tencent	Malware.Win32.Gencirc.10ce9e14
Ikarus	Trojan-Spy.RedLineStealer
Fortinet	W32/Malicious_Behavior.VEX
AVG	FileRepMalware
Qihoo-360	Win32/Heur.Generic.HyoDTAIA

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 1684 thread_handle: 0x00000250 process_identifier: 872 current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 filepath: C:\Windows\System32\dllhost.exe track: 1 command_line: "C:\Windows\System32\dllhost.exe" filepath_r: C:\Windows\System32\dllhost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000280	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2252 thread_handle: 0x0000027c process_identifier: 2800 current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c cmd < Smarrito.potx filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634176 (CREATE_DEFAULT_ERROR_MODE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000298	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 492 thread_handle: 0x00000088 process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2324 thread_handle: 0x0000008c process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /V /R "^EEooMPoWPFfAikdlGlnQpNsfZEiuPvmTPikfoSRsEVXYToUUEvmliuLQjSpiHeiaycKZqweOaujhQzvRJhCaWgLJvcefIJJCNESbbVUDxLSwUbZTvsbxmOvQJwDEYMyIvKmkBYxOzZYkvK$" Ricordate.potx filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 1120 thread_handle: 0x00000090 process_identifier: 2092 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com track: 1 command_line: Infinita.exe.com w filepath_r: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2092	1	0
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 812 thread_handle: 0x00000094 process_identifier: 2412 current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping TEST22-PC -n 30 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 1296 thread_handle: 0x0000013c process_identifier: 1436 current_directory: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000 filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Infinita.exe.com w filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000140	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 240 thread_handle: 0x0000020c process_identifier: 2564 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000214	1	1
NtGetContextThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x0000020c	1	0
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2564 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00100000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214	1	0
WriteProcessMemory Aug. 18, 2021, 6:31 p.m.	buffer: base_address: 0x00100000 process_identifier: 2564 process_handle: 0x00000214	1	1
WriteProcessMemory Aug. 18, 2021, 6:31 p.m.	buffer: ÿÿÿÿû~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 2564 process_handle: 0x00000214	1	1
NtSetContextThread Aug. 18, 2021, 6:31 p.m.	registers.eip: 2000355780 registers.esp: 2291904 registers.edi: 0 registers.eax: 1150830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000020c process_identifier: 2564	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000001f0 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000003d0 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 18, 2021, 6:32 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Aug. 18, 2021, 6:32 p.m.	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread Aug. 18, 2021, 6:32 p.m.	thread_handle: 0x00000184	1	0
NtGetContextThread Aug. 18, 2021, 6:32 p.m.	thread_handle: 0x00000184	1	0
NtResumeThread Aug. 18, 2021, 6:32 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2564	1	0

Straight.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All