Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 20, 2021, 9:14 a.m.	Aug. 20, 2021, 9:34 a.m.

Size	2.2MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7b43102eac227f292e0534dbcd99e797`
SHA256	`72464c7a10469277dad3ff7f30c51f1d3db03076b2feb2e2ac33a9749d44e64d`
CRC32	`0CAD1EC2`
ssdeep	`24576:zSPh31uXt9hqlQC03fsBClLCbEuYkiOS6TCqw5l5vvhiNP9CVFYHwp46lHSJrfj2:zSPB1uXAN`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

sergey11.exe "C:\Users\test22\AppData\Local\Temp\sergey11.exe"
1852
- sergey11.exe C:\Users\test22\AppData\Local\Temp\sergey11.exe
  1548
  - EsjJxo3qJi.exe "C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe"
    2320
    - EsjJxo3qJi.exe C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe
      2584
  - cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\sergey11.exe"
    456
    - timeout.exe timeout /T 10 /NOBREAK
      1788

Name	Response	Post-Analysis Lookup
testmonbot.space	A 82.146.63.123	82.146.63.123
telete.in	A 195.201.225.248	195.201.225.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.201.225.248	Active	Moloch
45.140.147.35	Active	Moloch
82.146.63.123	Active	Moloch
95.179.166.29	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.140.147.35:80 -> 192.168.56.102:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.140.147.35:80 -> 192.168.56.102:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.140.147.35:80 -> 192.168.56.102:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49234 -> 82.146.63.123:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49166 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	be:a6:3d:e8:93:c3:13:0b:5f:1d:3a:f7:63:57:4c:39:0e:96:df:5e
TLSv1 192.168.56.102:49234 82.146.63.123:443	C=US, O=Let's Encrypt, CN=R3	CN=testmonbot.space	8d:8f:b3:6f:bf:29:a9:73:95:2c:33:d7:9d:ce:b0:4c:28:45:2b:f7

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 20, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 20, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 20, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 20, 2021, 9:14 a.m.			0	0
IsDebuggerPresent Aug. 20, 2021, 9:14 a.m.			0	0
IsDebuggerPresent Aug. 20, 2021, 9:14 a.m.			0	0
IsDebuggerPresent Aug. 20, 2021, 9:14 a.m.			0	0
IsDebuggerPresent Aug. 20, 2021, 9:14 a.m.			0	0
IsDebuggerPresent Aug. 20, 2021, 9:14 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d4c70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d4cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d4cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00800608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00800688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00800688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b9268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b9268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2021, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b92e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 20, 2021, 9:14 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.140.147.35/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.140.147.35//l/f/yg35YHsBPvGyIjkLmccH/8d02576b82138d2b010fc768953f1941bd716a7e
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.140.147.35//l/f/yg35YHsBPvGyIjkLmccH/c3389610b851607a24842e7bc0dc8a2c5f85d167
suspicious_features	GET method with no useragent header	suspicious_request	GET https://telete.in/hobaoparunjohnyrun2
suspicious_features	GET method with no useragent header	suspicious_request	GET https://testmonbot.space/smm.exe

Performs some HTTP requests (5 events)

request	POST http://45.140.147.35/
request	GET http://45.140.147.35//l/f/yg35YHsBPvGyIjkLmccH/8d02576b82138d2b010fc768953f1941bd716a7e
request	GET http://45.140.147.35//l/f/yg35YHsBPvGyIjkLmccH/c3389610b851607a24842e7bc0dc8a2c5f85d167
request	GET https://telete.in/hobaoparunjohnyrun2
request	GET https://testmonbot.space/smm.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://45.140.147.35/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 75 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02040000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00382000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0038a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0038c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2584 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Aug. 20, 2021, 9:14 a.m.	number_of_free_clusters: 2666995 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Aug. 20, 2021, 9:14 a.m.	number_of_free_clusters: 2666995 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Creates executable files on the filesystem (50 out of 60 events)

file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-time-l1-1-0.dll

Creates a suspicious process (1 event)

cmdline

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\sergey11.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe

Drops an executable to the user AppData folder (50 out of 59 events)

file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\sergey11.exe
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-profile-l1-1-0.dll

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 20, 2021, 9:14 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe	1	1	0
CreateProcessInternalW Aug. 20, 2021, 9:14 a.m.	thread_identifier: 532 thread_handle: 0x00000694 process_identifier: 456 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\sergey11.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000690	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 20, 2021, 9:14 a.m.	flags: 15 family: 0		111	0

Yara rule detected in process memory (22 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications smtp	rule	Network_SMTP_dotNet
description	Virtual currency	rule	Virtual_currency_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 61 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6 base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1 base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1 base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1 base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Aug. 20, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 20, 2021, 9:14 a.m.	status_code: 0xffffffff process_identifier: 2856 process_handle: 0x00000214		0	0
NtTerminateProcess Aug. 20, 2021, 9:14 a.m.	status_code: 0xffffffff process_identifier: 2856 process_handle: 0x00000214	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\sergey11.exe"

Communicates with host for which no DNS query was performed (2 events)

host	45.140.147.35
host	95.179.166.29

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1548 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	1	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2856 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214		3221225496
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2584 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214	1	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2320 manipulating memory of non-child process 2856
NtUnmapViewOfSection Aug. 20, 2021, 9:14 a.m.	base_address: 0x00400000 region_size: 905216 process_identifier: 2856 process_handle: 0x00000214	3221225497	0
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2856 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214	3221225496	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 1548 process_handle: 0x00000210	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1548 process_handle: 0x00000210	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\7Þà0~ @ à@,O ÜÀ H.text´~ `.rsrcÜ @@.relocÀ@B base_address: 0x00400000 process_identifier: 2584 process_handle: 0x00000214	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: P8hÜ LL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0: InternalNameQuacking.exe(LegalCopyright B OriginalFilenameQuacking.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ì¢êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041a000 process_identifier: 2584 process_handle: 0x00000214	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: ? base_address: 0x0041c000 process_identifier: 2584 process_handle: 0x00000214	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2584 process_handle: 0x00000214	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 1548 process_handle: 0x00000210	1	1	0
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\7Þà0~ @ à@,O ÜÀ H.text´~ `.rsrcÜ @@.relocÀ@B base_address: 0x00400000 process_identifier: 2584 process_handle: 0x00000214	1	1	0

Collects information about installed applications (42 events)

Time & API	Arguments	Status
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 6.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Delfino G3 (x86) version 3.6.6.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: G2BRUN regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WIZVERA Process Manager 1,0,5,4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: iniLINE CrossEX Service regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\iniLINE_CrossEX\DisplayName	1
RegQueryValueExA Aug. 20, 2021, 9:14 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: iniLINE CrossEX Service regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\iniLINE_CrossEX\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password2
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1852 called NtSetContextThread to modify thread in remote process 1548
Process injection	Process 2320 called NtSetContextThread to modify thread in remote process 2584
NtSetContextThread Aug. 20, 2021, 9:14 a.m.	registers.eip: 2007957956 registers.esp: 4128624 registers.edi: 0 registers.eax: 4454519 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000020c process_identifier: 1548	1	0	0
NtSetContextThread Aug. 20, 2021, 9:14 a.m.	registers.eip: 2007957956 registers.esp: 3669276 registers.edi: 0 registers.eax: 4296574 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 2584	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1852 resumed a thread in remote process 1548
Process injection	Process 2320 resumed a thread in remote process 2584
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 1548	1	0	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2584	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

95.179.166.29:60101

Executed a process and injected code into it, probably while unpacking (40 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1852	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1852	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 1852	1	0
CreateProcessInternalW Aug. 20, 2021, 9:14 a.m.	thread_identifier: 1648 thread_handle: 0x0000020c process_identifier: 1548 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\sergey11.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000210	1	1
NtUnmapViewOfSection Aug. 20, 2021, 9:14 a.m.	base_address: 0x00400000 region_size: 15532032 process_identifier: 1548 process_handle: 0x00000210		3221225497
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 1548 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000210	1	0
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 1548 process_handle: 0x00000210	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: base_address: 0x00401000 process_identifier: 1548 process_handle: 0x00000210	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: base_address: 0x0046c000 process_identifier: 1548 process_handle: 0x00000210	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: base_address: 0x00486000 process_identifier: 1548 process_handle: 0x00000210	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: base_address: 0x0048c000 process_identifier: 1548 process_handle: 0x00000210	1	1
NtGetContextThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x0000020c	1	0
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1548 process_handle: 0x00000210	1	1
NtSetContextThread Aug. 20, 2021, 9:14 a.m.	registers.eip: 2007957956 registers.esp: 4128624 registers.edi: 0 registers.eax: 4454519 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000020c process_identifier: 1548	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 1548	1	0
CreateProcessInternalW Aug. 20, 2021, 9:14 a.m.	thread_identifier: 2316 thread_handle: 0x000006d0 process_identifier: 2320 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006d8	1	1
CreateProcessInternalW Aug. 20, 2021, 9:14 a.m.	thread_identifier: 532 thread_handle: 0x00000694 process_identifier: 456 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\sergey11.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000690	1	1
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2320	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2320	1	0
CreateProcessInternalW Aug. 20, 2021, 9:14 a.m.	thread_identifier: 2448 thread_handle: 0x00000210 process_identifier: 2856 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000214	1	1
NtUnmapViewOfSection Aug. 20, 2021, 9:14 a.m.	base_address: 0x00400000 region_size: 905216 process_identifier: 2856 process_handle: 0x00000214		3221225497
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2856 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214		3221225496
CreateProcessInternalW Aug. 20, 2021, 9:14 a.m.	thread_identifier: 2572 thread_handle: 0x00000210 process_identifier: 2584 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\EsjJxo3qJi.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000214	1	1
NtUnmapViewOfSection Aug. 20, 2021, 9:14 a.m.	base_address: 0x00400000 region_size: 2001731584 process_identifier: 2584 process_handle: 0x00000214		3221225497
NtAllocateVirtualMemory Aug. 20, 2021, 9:14 a.m.	process_identifier: 2584 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214	1	0
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\7Þà0~ @ à@,O ÜÀ H.text´~ `.rsrcÜ @@.relocÀ@B base_address: 0x00400000 process_identifier: 2584 process_handle: 0x00000214	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: base_address: 0x00402000 process_identifier: 2584 process_handle: 0x00000214	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: P8hÜ LL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0: InternalNameQuacking.exe(LegalCopyright B OriginalFilenameQuacking.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ì¢êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0041a000 process_identifier: 2584 process_handle: 0x00000214	1	1
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: ? base_address: 0x0041c000 process_identifier: 2584 process_handle: 0x00000214	1	1
NtGetContextThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000210	1	0
WriteProcessMemory Aug. 20, 2021, 9:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2584 process_handle: 0x00000214	1	1
NtSetContextThread Aug. 20, 2021, 9:14 a.m.	registers.eip: 2007957956 registers.esp: 3669276 registers.edi: 0 registers.eax: 4296574 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 2584	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2584	1	0
CreateProcessInternalW Aug. 20, 2021, 9:14 a.m.	thread_identifier: 816 thread_handle: 0x00000088 process_identifier: 1788 current_directory: C:\Users\test22\AppData\LocalLow filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout /T 10 /NOBREAK filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2584	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2584	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2584	1	0
NtResumeThread Aug. 20, 2021, 9:14 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2584	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.77020
FireEye	Generic.mg.7b43102eac227f29
ALYac	Trojan.GenericKDZ.77020
Malwarebytes	Malware.AI.1132001303
K7AntiVirus	Trojan ( 00580e6c1 )
Alibaba	Trojan:Win32/Kryptik.ali2000016
Cybereason	malicious.607708
BitDefenderTheta	Gen:NN.ZemsilF.34088.mo0@aiQ99Qo
Cyren	W32/MSIL_Agent.LM.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ACKI
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
BitDefender	Trojan.GenericKDZ.77020
Ad-Aware	Trojan.GenericKDZ.77020
Sophos	Mal/Generic-S
DrWeb	Trojan.PackedNET.972
TrendMicro	TROJ_GEN.R06CC0DHH21
Emsisoft	Trojan.GenericKDZ.77020 (B)
Jiangmin	Backdoor.Agent.kfv
eGambit	Unsafe.AI_Score_100%
Avira	HEUR/AGEN.1144297
MAX	malware (ai score=100)
Kingsoft	Win32.Hack.Undef.(kcloud)
Gridinsoft	Malware.Win32.MigratedCloud.cc
GData	MSIL.Trojan.Kryptik.QZ
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4589712
VBA32	Trojan.MSIL.RedLine.Heur
TrendMicro-HouseCall	TROJ_GEN.R06CC0DHH21
Tencent	Win32.Backdoor.Agent.Aiid
Ikarus	Trojan.MSIL.Crypt
Fortinet	MSIL/Kryptik.ABUD!tr
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Backdoor.Generic.HgIASakA

sergey11.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All