Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 23, 2021, 11:56 a.m.	Aug. 23, 2021, 12:12 p.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`7a9a32c45303b7bef1651551799bb68f`
SHA256	`e806a4db88bb042b54e3fa43e03a2e59bf5d40ff6cd1dad371a1721148da843f`
CRC32	`6E9442AF`
ssdeep	`49152:dsB+54Euz74/EGCWDudi1afr3+j6Qa8rHsDi6HxxJVhkRQyo5ggyFHMkaX5wTIZ1:ds6qRG7Du9frujRnwu2b6to5T4MkLIZ1`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

fbtc-client.exe "C:\Users\test22\AppData\Local\Temp\fbtc-client.exe"
2072
- cmd.exe C:\Windows\system32\cmd.exe /C "C:\Users\test22\AppData\Roaming\fudilul6\9189lt5c.bat"
  572
  - msci.exe "C:\Users\test22\AppData\Roaming\fudilul6\msci.exe"
    1612
    - me.exe C:\Users\test22\AppData\Local\Temp\me.exe
      784
      - me.exe C:\Users\test22\AppData\Local\Temp\me.exe
        2556
    - bld.exe C:\Users\test22\AppData\Local\Temp\bld.exe
      2976
      - bld.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bld.exe"
        1636
    - new.exe C:\Users\test22\AppData\Local\Temp\new.exe
      2968

Name	Response	Post-Analysis Lookup
master11.teamviewer.com	A 185.188.32.21	185.188.32.21
ping3.teamviewer.com	A 188.172.203.62 A 188.172.201.158 A 37.252.244.158 A 213.227.167.158 A 37.252.229.190	37.252.229.190
bingoroll6.net	A 104.21.24.107 A 172.67.218.85	104.21.24.107
bingoroll15.net	A 104.21.80.70 A 172.67.175.9	104.21.80.70
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31

IP Address	Status	Action
104.21.80.70	Active	Moloch
104.26.12.31	Active	Moloch
161.156.67.100	Active	Moloch
164.124.101.2	Active	Moloch
172.67.218.85	Active	Moloch
185.188.32.21	Active	Moloch
188.172.201.158	Active	Moloch
45.138.72.167	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49184 -> 172.67.218.85:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 172.67.218.85:80 -> 192.168.56.102:49184	2014819	ET INFO Packed Executable Download	Misc activity
TCP 172.67.218.85:80 -> 192.168.56.102:49184	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49184 -> 172.67.218.85:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 104.26.12.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49184 -> 172.67.218.85:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 172.67.218.85:80 -> 192.168.56.102:49184	2014819	ET INFO Packed Executable Download	Misc activity
TCP 161.156.67.100:5938 -> 192.168.56.102:49182	2008795	ET POLICY TeamViewer Keep-alive inbound	Misc activity
TCP 192.168.56.102:49183 -> 104.21.80.70:80	2021747	ET MALWARE Win32.Spy/TVRat Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 104.21.80.70:80	2021747	ET MALWARE Win32.Spy/TVRat Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 104.21.80.70:80	2021747	ET MALWARE Win32.Spy/TVRat Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 104.21.80.70:80	2021747	ET MALWARE Win32.Spy/TVRat Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 104.21.80.70:80	2021747	ET MALWARE Win32.Spy/TVRat Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49206 -> 104.26.12.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.138.72.167:25882 -> 192.168.56.102:49188	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49191 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9
TLSv1 192.168.56.102:49206 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 23, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 11:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 12:12 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 23, 2021, 12:11 p.m.			0	0
IsDebuggerPresent Aug. 23, 2021, 12:11 p.m.			0	0
IsDebuggerPresent Aug. 23, 2021, 12:11 p.m.			0	0
IsDebuggerPresent Aug. 23, 2021, 12:11 p.m.			0	0
IsDebuggerPresent Aug. 23, 2021, 12:12 p.m.			0	0
IsDebuggerPresent Aug. 23, 2021, 12:12 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (21 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00765dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00765e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00765e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047fe18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047fe18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047fe98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052cb98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052cb98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052ca98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004803d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052ce18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:11 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052ce18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f0b428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f0b428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f0b468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f0c328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f0c328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f0c228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064b62f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064b64f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2021, 12:12 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064b64f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 23, 2021, 11:56 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Aug. 23, 2021, 12:11 p.m.	stacktrace: 0x74ee12 0x74ed8f 0x741942 0x74085c 0x740070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x722b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x722b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72367610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7294f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72a47f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72a44de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x74eea1 registers.esp: 2027148 registers.edi: 37494692 registers.eax: 0 registers.ebp: 2027172 registers.edx: 4660768 registers.ebx: 36315828 registers.esi: 37494872 registers.ecx: 0	1
__exception__ Aug. 23, 2021, 12:12 p.m.	stacktrace: new+0x4886f2 @ 0x7886f2 new+0x47a349 @ 0x77a349 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 38 82 f3 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 13171288 registers.edi: 3661824 registers.eax: 13171288 registers.ebp: 13171368 registers.edx: 2130566132 registers.ebx: 32 registers.esi: 2008380459 registers.ecx: 2558787584	1
__exception__ Aug. 23, 2021, 12:12 p.m.	stacktrace: exception.instruction_r: ed e9 bf e3 03 00 c0 df 0a 8f 76 00 05 7b ca ff exception.symbol: new+0x49bbad exception.instruction: in eax, dx exception.module: new.exe exception.exception_code: 0xc0000096 exception.offset: 4832173 exception.address: 0x79bbad registers.esp: 13171408 registers.edi: 6718945 registers.eax: 1750617430 registers.ebp: 3661824 registers.edx: 22614 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Aug. 23, 2021, 12:12 p.m.	stacktrace: exception.instruction_r: ed e9 fc 61 03 00 c3 e9 f8 97 fe ff 62 b0 89 77 exception.symbol: new+0x4c20c2 exception.instruction: in eax, dx exception.module: new.exe exception.exception_code: 0xc0000096 exception.offset: 4989122 exception.address: 0x7c20c2 registers.esp: 13171408 registers.edi: 6718945 registers.eax: 1447909480 registers.ebp: 3661824 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Aug. 23, 2021, 12:12 p.m.	stacktrace: 0x6376fae 0x6376e24 0xc96f62 0xc953fa 0xc90076 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x722a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x722b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x722b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72367610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7294f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72a47f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72a44de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 1b eb 13 83 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x637709b registers.esp: 13168264 registers.edi: 49944244 registers.eax: 0 registers.ebp: 13168288 registers.edx: 15493952 registers.ebx: 49943528 registers.esi: 49944348 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (5 events)

Time & API	Arguments	Status	Return
bind Aug. 23, 2021, 11:56 a.m.	ip_address: 127.0.0.1 socket: 916 port: 0	1	0
listen Aug. 23, 2021, 11:56 a.m.	socket: 916 backlog: 2147483647	1	0
accept Aug. 23, 2021, 11:56 a.m.	ip_address: socket: 916 port: 0	1	952
bind Aug. 23, 2021, 11:56 a.m.	ip_address: 127.0.0.1 socket: 6744 port: 6039	1	0
listen Aug. 23, 2021, 11:56 a.m.	socket: 6744 backlog: 2147483647	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://api.ip.sb/geoip

Performs some HTTP requests (6 events)

request	GET http://bingoroll15.net/update.php?id=315021678&stat=91e2f106dc042be7fe29ceda1c1236d8
request	GET http://bingoroll6.net/me.exe
request	GET http://bingoroll15.net/update.php?id=315021678&stat=91e2f106dc042be7fe29ceda1c1236d8&cmd=1
request	GET http://bingoroll6.net/bld.exe
request	GET http://bingoroll6.net/new.exe
request	GET https://api.ip.sb/geoip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 243 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 23, 2021, 11:56 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 11:56 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73794000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:56 a.m.	process_identifier: 1612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 11:56 a.m.	process_identifier: 1612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d13000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72322000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00342000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

msci.exe tried to sleep 226 seconds, actually delayed analysis time by 226 seconds

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Roaming\Opera\Opera\operaprefs.ini

Creates executable files on the filesystem (17 events)

file	C:\Users\test22\AppData\Local\Temp\fudilul6\avicap32.dll
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\ExecCmd.dll
file	C:\Users\test22\AppData\Local\Temp\fudilul6\TeamViewer_Resource_en.dll
file	C:\Users\test22\AppData\Local\Temp\fudilul6\tv_w32.exe
file	C:\Users\test22\AppData\Local\Temp\me.exe
file	C:\Users\test22\AppData\Local\Temp\bld.exe
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\new.exe
file	C:\Users\test22\AppData\Local\Temp\fudilul6\tv_x64.dll
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\nsis7z.dll
file	C:\Users\test22\AppData\Local\Temp\fudilul6\msci.exe
file	C:\Users\test22\AppData\Local\Temp\fudilul6\tv_w32.dll
file	C:\Users\test22\AppData\Local\Temp\fudilul6\9189lt5c.bat
file	C:\Users\test22\AppData\Local\Temp\fudilul6\tv_x64.exe
file	C:\Users\test22\AppData\Local\Temp\fudilul6\TeamViewer_Desktop.exe
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\WndSubclass.dll

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /C "C:\Users\test22\AppData\Roaming\fudilul6\9189lt5c.bat"

Drops an executable to the user AppData folder (8 events)

file	C:\Users\test22\AppData\Local\Temp\new.exe
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\nsis7z.dll
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\WndSubclass.dll
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\ExecCmd.dll
file	C:\Users\test22\AppData\Local\Temp\nsb7DE5.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\bld.exe
file	C:\Users\test22\AppData\Local\Temp\me.exe

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_ComputerSystemProduct

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 23, 2021, 11:56 a.m.	thread_identifier: 2712 thread_handle: 0x00001edc process_identifier: 784 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\me.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00001ee0	1	1
CreateProcessInternalW Aug. 23, 2021, 11:57 a.m.	thread_identifier: 2988 thread_handle: 0x00000218 process_identifier: 2976 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\bld.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000021c	1	1
CreateProcessInternalW Aug. 23, 2021, 11:58 a.m.	thread_identifier: 2092 thread_handle: 0x00000218 process_identifier: 2968 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\new.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00001bf8	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (32 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: pw.exe process_identifier: 2628	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: taskhost.exe process_identifier: 2376	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: SearchFilterHost.exe process_identifier: 1760	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: fbtc-client.exe process_identifier: 2072	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: pw.exe process_identifier: 2088	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: cmd.exe process_identifier: 572	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: conhost.exe process_identifier: 2916	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: msci.exe process_identifier: 1612	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x00000138 process_name: inject-x86.exe process_identifier: 1312	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: WmiPrvSE.exe process_identifier: 236	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: conhost.exe process_identifier: 2240	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: pw.exe process_identifier: 240	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: conhost.exe process_identifier: 3044	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: pw.exe process_identifier: 2900	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: me.exe process_identifier: 784	1	1
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: me.exe process_identifier: 2584	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: conhost.exe process_identifier: 2612	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: pw.exe process_identifier: 2348	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: bld.exe process_identifier: 1636	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: cmd.exe process_identifier: 2792	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: pw.exe process_identifier: 688	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: cmd.exe process_identifier: 1828	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: conhost.exe process_identifier: 2068	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: cmd.exe process_identifier: 2820	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: conhost.exe process_identifier: 2920	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: cmd.exe process_identifier: 2380	1	1
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: conhost.exe process_identifier: 528	1	1
Process32NextW Aug. 23, 2021, 11:58 a.m.	snapshot_handle: 0x000019c4 process_name: cmd.exe process_identifier: 2644	1	1
Process32NextW Aug. 23, 2021, 11:58 a.m.	snapshot_handle: 0x000019c4 process_name: new.exe process_identifier: 2968	1	1
Process32NextW Aug. 23, 2021, 11:58 a.m.	snapshot_handle: 0x000019c4 process_name: conhost.exe process_identifier: 2504	1	1
Process32NextW Aug. 23, 2021, 11:58 a.m.	snapshot_handle: 0x000019c4 process_name: conhost.exe process_identifier: 2032	1	1
Process32NextW Aug. 23, 2021, 11:58 a.m.	snapshot_handle: 0x000019c4 process_name: pw.exe process_identifier: 1644	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 23, 2021, 11:56 a.m.	flags: 15 family: 0	1	0	0

An executable file was downloaded by the process msci.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile Aug. 23, 2021, 11:56 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÕ¸tÝà0Øo @ @@<oOÀ o H.text¤× Ø `.rsrcÀÜ@@.reloc à@BpoH4.ì@0~u s z&Þ* j( o ((rp.rop(s-%}1þ.s (+,s z0(%,i-à + #à ( (0o Þ&Þ* 0þo Þ&Þ* 6o 00o ÚÖÚÖ# o (þ,s z&0^# (&7 n ÿj1s znjÛÖÚÖ#(+(þ,s zs 00( o ÿs s o ( .(2s(v( rqp~ o ({0È-~ ( ~6-$Ð ( Ð( ( ( 6~6{! ~6~5-ErÓpÐ( 2%!(" ¢%(" ¢%(" ¢(# ($ 5~5{% ~5Ð( ~o& o' }0(( () o* 0L~7-$Ð ( Ð( ( ( 7~7{! ~7((o' 0<s+ +"o, o- ]o, aÑo. &Xo- 2Õo/ Js (0§ %rÿp(¢s%rp((+oZ %r5p(¢s%rÈp((+o^&s0 #%Ð0(1 o2 o3 s ((ÞÅ&Þ&Þ¿Þ&Þ(a:a:££ o ~2({"}R( (!(0D (+(+ (+(+i# + i]aÒ X i2çj( u ("}0: {($ %$¢%Ð( ¢('u¥Z¥$u(7 ~{~8 (9 ,{(#&.r[p:( (,{/"}/( 0 hs/ ~8 }4~8 %rÿp(¢s%\|3þþ } %rsp(¢s%}2{1o+%,i-à+#à( {àX{ MZ3 { PE.\|{ .{1o+ þ(: }})\|{n(; }4röp(o+(< o= ~8 ~8 ~8 \|3oB:\|3{~8 (9 ,w{2r±p(o +\|3{o:,N{2rTp(o +\|3{o>&{2rTp(o +\|3{o>&* ¸(> þ0s? (+&{2r×p(o+\|3{\|4\|\| 0@oR,y{2r±p(o +\|3{o:,P{2rTp(o +\|3{o>&{2rTp(o +\|3{o>&{2rp(o +\|3{{4\|{o6,y{2r±p(o +\|3{o:,P{2rTp(o +\|3{o>&{2rTp(o +\|3{o>&8(@ {nXÐ( (A jXÐ( (A ZjXà{2rp(o +\|3{\|4(@ {nX(; (@ {nX(; {o6&XÑ\|{ ?Rÿÿÿ{2rEp(o+\|3{àoF,y{2r±p(o +\|3{o:,P{2rTp(o +\|3{o>&{2rTp(o +\|3{o>&*(B \|4(@ #+'Z?_dÒ3 (+XsC doD 2Ç{2rp(o +\| request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 23, 2021, 11:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ïoöÉ¥É¥É¥æ¤Ä¥æ¤c¥æ¤ß¥wÿ¤Ø¥wÿ¤Ý¥wÿ¤¥æ¤Ì¥É¥ª¥^ü¤È¥^üþ¥È¥É¥È¥^ü¤È¥RichÉ¥PEL¬S`à*h0@@h <@H`Ø ÔépHê@0`.text `.rdata8â0ä@@.data þ@À.rsrcH@@@.relocØ `""@B¹.CèqhA%BèYÃjjh /C¹Ð.CèrhK%BèûYÃVWjèäÔY¿ /CðÏèC]jVÏÇ /C3Bè¿ThU%BèÃY_^Ã¹É.Cé§r¹È.Cèph_%Bè¡YÃhs%BèYÃhi%BèYÃ¹0Cèkph%BèsYÃh}%BègYÃÌÌÌÌÌÌÌUìì¡P C3ÅEüUEôVñUôNÆEøQWÀÇä1BPfÖèMMüÄÆ3Í^è[å]ÂÌÌÌUìVñWÀFPÇä1BfÖEÀPèÄÆ^]ÂÌÌÌI¸lèBÉEÁÃÌÌUìVñFÇä1BPèBÄöEtjVè2ÄÆ^]ÂAÇä1BPèYÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAèBÇ02BÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿh CEôPèÊÌÌÌÌUìVñWÀFPÇä1BfÖEÀPèAÄÇ02BÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇä1BfÖEÀPèÄÇð1BÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌhèBèÿoÌÌÌÌÌÌUìVñWÀFPÇä1BfÖEÀPè±ÄÇ$2BÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìEUH]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìUøìVÿuRÿPuHVI;Ju;u °^å]Â2À^å]ÂÌÌÌÌUìAVuV;Bu;Eu°^]Â2À^]ÂÌÌÌÌÌÌÌÌÌUìEMÇ@ )C]ÃÌÌÌÌÌÌÌÌÌÌÌÌSÜìäøÄUkl$ìjÿhEBd¡PSìX¡P C3ÅEìVWPEôd£ù}àCMÈP}àènKCsEàÇEüMØÉtDUÜÂ+Áør AúEØº: EÈCEÈfÆDëjh¨èBÆEèMÈÿuèjèCcÿuàM°QÎÿPÆEüU°}ÄMÀCU°EÜuØ+ÆMàQR;Èw%}ÜEØEÈCEÈðVèIEàÄÆëÆEàÿuàQMÈèÝbUÄúr,M°BÁúrIüÂ#+ÁÀüøËRQèÄMÈMÇä1Bó~EØfÖE¨WÀ}¬f~ÈfÖGMCÈÇEØGÇEÜPEäÆEÈPMäÆEèèIU¬ÄÇ$2Búr(MBÁúrIüÂ#+ÁÀüøwCRQèwÄKÇSÇ<2BOWMôd Y_^Mì3Íèå]ã[ÂèÞèÞÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñFÇä1BPèÄöEtjVèÄÆ^]ÂUìVuWÀWùGPÇä1BfÖFPèpÇ<2BÄFNGÇOÇH2B_^]ÂÌÌÌÌÌÌÌÌÌUìVuWÀWùGPÇä1BfÖFPè ÄÇ<2BFNGÇO_^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ¸¬èBÃÌÌÌÌÌÌÌÌÌÌUìQEVuuüøu(jÇFÎÇFh¤éBÆèSÆ^å]ÂWPèérÐÇFÊÇFÄÆyAÀuù+ÏQRÎè^S_Æ^å]ÂÌÌÌÌUìöEVñtjVè´~ÄÆ^]ÂÌÌUìöEVñÇp2BtjVè~ÄÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌUìjÿh¿Bd¡PQV¡P C3ÅPEôd£ñuðjèÙiÇEüÇFÆFÇFÆF3ÀÇFfFFfF F$F(F,F0EÆEüÀtPVè¶nÄÆMôd Y^å]Âh¸èBè¹jÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìjÿhàBd¡PV¡P C3ÅPEôd£ñVè¥nF,ÄÀt PèHÒÄÇF,F$Àt Pè1ÒÄÇF$FÀt PèÒÄÇFFÀt PèÒÄÇFFÀt PèìÑÄÇFFÀt PèÕÑÄÎÇFèòhMôd Y^å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌðÿAÃÌÌÌÌÌÌÌÌÌÌÌÈÿðÁA¸DÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌIÉtÿPÀtÈjÿÃÌÌÌÌÌÌÌ¸ÃÌÌÌÌÌÌÌÌÌÌUìAP¶EPèêpÄ]ÂÌÌÌÌÌÌÌÌUìVuW};÷tSY¶SPè¾pÄF;÷uì[_Æ^]ÂUìAP¶EPèqÄ]ÂÌÌÌÌÌÌÌÌUìVuW};÷tSY¶SPèlqÄF;÷uì[_Æ^]ÂUìE]ÂÌÌÌÌÌÌUìUVuW}Ï+ÎQVRè6ÄÇ_^]ÂÌÌÌÌÌÌÌÌÌÌÌUìE]ÂÌÌÌÌÌÌUìUVuW}Ï+ÎQVRèöÄÇ_^]ÂÌÌÌÌÌÌÌÌÌÌÌUìVñFÇ2BÀ~ ÿvèÐë yÿvè{ÄÿvèñÏÄÇp2BöEtjVè{ÄÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìjÿh Bd¡PìSVW¡P C3ÅPEôd£ñuðEUÊuðÇEè8XAÇEìÆEØEðAÀuù+MðQRMØè'OEØÇEüPSWÎèCøÿÿUìúr(MØBÁúrIüÂ#+ÁÀüøw&RQè^zÄÇ°2BÆMôd Y_^[å]ÂèØÌÌUìäøEìàAIV#Èt}të^å]ÂjjèöÁt¾ÈèBëöÁ¾àèB¸øèBDðD$jPèv÷ÿÿÄL$PVèÈþÿÿhÀ CD$Pè¿ÌÌÌÌÌÌÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile Aug. 23, 2021, 11:57 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL BÝ}àÖ"èP @ ú!4@:@P~Ç°3 à p ` ðt@À øé \|@@ @@.idata @@À800-850 r`r``.themidaàGà`à.boot.ÀO.``800-850 Ðà} 2 `.rsrcÇ~2@@^¯#f-d3ª[LyQT\ HäYõÌ7eªÙt ]Z°>+Ø_(>^9+yY']aCCBXvüLiûú ZuYDÜc$?wD zS>O \bâ rÓvå2^üpa¬rQféi´oC^¾:ðqbv¨dw$kYà×qÑzO0,DìtGädbFxí%cÄùV½Q%ôé¾[mYû_M)t4f>qm#U2aa` ynt!zmdlÝÚð¾þþ²W_]Ef"Ia{Ïz<3J¸÷rZÚâògZîs¤gÿw½ß>×NPn`h²J´iîDw^ÄúphyTm½>¬w[pÕSôq´u`²eW§;"bÃøCÑpe5LîOcà0iËÚp0k¤y_fCÜ5dJ¢§fW»íÃm÷i9àóPïß;éëzjvMl]H9k¥`>÷öVò7w³Í,x=f³sìrBqï¡lºsk:b×{#B${B¤z«û dÛpÅCFgÁ)8bõpü(M×H J2V>OÃpyt2@@åcLEiÿQ\ÖXE$¥¥1{;N/;ºêÄ_Þ>ûúZh¹Äfu9YÍ¿xnW3Ó\S¢¤?©FQxU£é¶§¤]éÁ£¢Ø¾Hõ]óÛ<9{§O2§BGÙbcFV8íWO 5têØuÖïjóìEAûzGRØú)á¯tÛñÅVq8:çWj K(Ú¨mg&.8WëÆ b¤]¼ ©¢+Gg:É£W÷j&wn?ØÝ§.F,r8l,2×oì¾&Ú¼03%i¬nV:JWØ®ä)¯nPè¯áIøH ¯-)ZÞ[b³XQífQOÀWÕDûoîé@Õ??e0©bâ¥ 5Xw8³ì¬ÌÎ?¿O_¥¬Yót£·¾Mµ$Tµ´½¢& A ÷+kNskTn{@Ö£ýdl2ñ/®âÖDAG0îëMe ÑEû5»©×írafõ)»ùT²~Wv;Õ6jUö óÛ>H>x¦?z\|D´ø_ëov¶2µÀ¼qGoQVèoìFzÆóõÉ4~cii/K6ã?{JfvSmÑiP ÁT 7mëçÆÌágÏýMÝb-ONñÉ}ªæ>bWg¥Ch·]´BÒedûC35o!ü§V> ^«Þ£?ÕCÒé£b4gáß#KðS/fh×µ\|Û 7cîãW¿9¬ C=6ÐvøU÷6é=vv¸DP¦!ïßÂÌVx~GéLk_öp_Í;!-÷p)MÀs[ ¯9Äf [_hj<T?!£3^ ?ãÐö¯GWMßD©¸±hùN3G°ptETàïVËp,«Ût°(ùz¤øy6/V-oì£ z"ÔÈ/n!þ7ù·Îj¥\FiîÛ½9%^¸qÑK¢²Ðª=¢Uí¯]Ð,'ÿeØ9ð ±]4!ât°mÍ2=³)Q1?SF"AáÏc 5+¸»öF]HRUéð¿Y^E§¾UcnW¿ã2]JRNYXfWû]7KÃÇÞ.ÛSnÍ2ãéwPn)nDÄ%H]2iÅçi-?vþùÜÉé,W)&¿n÷a< vL- ô6Xéi#zB¶ð<.þS[©òbÚc:`YEcÎP[Püþìjl{Ùºí?îâ9Ô©: GÄvsw:U `jsãµL cÆ÷ÕwÖ¡=£/W;,_½³ùØ«¨¾h2§Ò¾_9á/Ô¢çÜ=ë³ÿØOiýEäP>®~M¦Õªùâvoõ\+ç&`ÛOÎçt:G^·KbCW«ÔõVoè9÷áøãk°oÅê¤q:XRvK°Bú7çU8¢)QGwU ¢@.¨¡£×u^n:n \|¨GJ9 Y!Szt¸à\C] êy50ÍsGsû,?(mz²èVTzF³j-=lÍóãKU8³q½YjVohÂNMDÏ¥í?W",¯'ì.auÁ`/½¡´ÑF¼Bcûè?V]aw÷[qzTFTB`ô5ê{ù×²SÒ¶³üàQ»büÖ§i4«µ9iµyd}²ô¡ÝgÁ³vMW³KñE%Þåy+æÏ<ªWmXò}Sû´TãÀßSëyS`zå¢`'Oü~IðhHAµÊNÿÌúM§ÑfÿíºicôVÛVúXh®ü>zÜ®O>LG´§kCüoí9É´(GTg+PëúË=¨ñFR¶qª9@Cy\|Hªî.eMk¯1ð@k8OFVs5ò¶7fû(PÝk°P&ª½Flz6`ÈsEHWÔkT¾îÜ;1¯£äOxëÕD©¨ìòq4åµv~æøt®<)PÞRÓ+½Ù#<mI?i×aå9MSE2öË·n¶ùa¸WýBÃÞ§-ùPþ¨¢ú<lçÏä_P¤lêÆÐTC©hÑfF¼H]ÚWVD?±¶+Ñ±N^ÚDZ4èÏRÏ¦îhóäÓSÝpäf-PäýyBËøÐöc=t¢ÉÝz:öWlñQÔ[Ðá×d·ª\|t$®Ûð¯7ñà¤·Î¡¸ÑS¥ó>¦È±¨1(ÙBn·RëKv¦ Ý2oà7¥«î5lzì<\|ì0¬ÃÆ8dG~XTgã;Ô¢P'TcVâjfÆ²øGvTwìrÄSW÷Ç0Wåâ\<D¯¼â¾Í:c>E;\|rYcL¯Æ¿W,¿ãûBq«¢^XGF«d4»§'?~V.¢Û&À6&Àû¼PkºNØµz/«Q4NodÂÞ\-ºÄ9½Ç7¹¸=]]á &7ìÚw=]£ä÷C=0¤»QDF¦}Õ¬çÚnu¡.ìm"YìºPÂæjxP2å7×ßæâ¶ÓÅ=»ç¿ZO=Þ/vZóO>wÈïí¹áöE°ßîºi$ìÒÓ½q-Ç7G94GbZ®Ó¨Òò´r5ÖnÊÆúuE CMqÞCÎq¤}÷}èùÜØv_eËñ;TæW/\!2ë÷ÊÆbF®Ñ¯.skB=oó-?¬,¸mDSa ½RúslN~6:©ÊÈy\|bZ^4PP4Bì PÐßCJ×]Yw£jÚ¸ý+E¤@=ê2\e.[±î8s²¶P=ý<Dd7T,×?YhZ_ÜU7'99÷ÛX+æà¸ ø#ºg¡È ¯e ^>äiÆt½Ñ6 À÷l~µ\Órd^c CÇìÄ"M¥LGYUWóçùzáJUGDÃúláõ¢AßkPXo,ß¥-_&Ú«^ªÚð¢\|J}Fðî"ÿÐ5m^D?NNom"wÃs?gåKÍô?}^Y8¢=nÖàThG¦¦øÚ7ßNivXWGNSÏslæ6D~ÖL¹ê¡N5õê±Wtm½Ü®,¸Ï~mcÐõ½¸_q{*ÝmpUKqJ«êh¨=vØVQThd(þ¢Ê§Q[uåÇ²NT\@øðuPl)^ùrI7vOÏYkQ£9ä¹üOZûß7Q23·gÅCOX%dSÞ,[A¸wZöòÄvHØjã\~cXSð3] EÊm&¥sÝ\9©V½¸{NÀ³ request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 23, 2021, 11:56 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Aug. 23, 2021, 11:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 23, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 23, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 23, 2021, 12:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 184 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:56 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0
Process32NextW Aug. 23, 2021, 11:57 a.m.	snapshot_handle: 0x000019c4 process_name: process_identifier: 0		0	0

Potentially malicious URLs were found in the process memory dump (50 out of 125 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://qual.ocsp.d-trust.net0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.TeamViewer.com
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0

Yara rule detected in process memory (42 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Hijack network configuration	rule	Hijack_Network
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	Remote Administration toolkit using webcam	rule	RAT_WebCam
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Virtual currency	rule	Virtual_currency_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 106 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000062c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: 7-Zip base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: AddressBook base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: Adobe AIR base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: Connection Manager base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: DirectDrawEx base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: EditPlus base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: ePageSafer base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: Fontcore base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: Google Chrome base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: IE40 base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: IE4Data base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: IE5BAKEX base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: IEData base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: MobileOptionPack base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: Office14.PROPLUS base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: SchedulingAgent base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: TouchEn nxKey base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: UnINISafeWeb base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: UnINISafeWeb6 base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: WIC base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1 base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {1F1C2DFC-2D24-3E06-BCB8-725134ADF989} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1 base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {8941A397-4065-4F41-92CE-0EB610846EED}_is1 base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Aug. 23, 2021, 12:11 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000062c key_handle: 0x000005dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1

Terminates another process (4 events)

Time & API	Arguments	Status	Return
NtTerminateProcess Aug. 23, 2021, 12:11 p.m.	status_code: 0xffffffff process_identifier: 2584 process_handle: 0x00000220		0
NtTerminateProcess Aug. 23, 2021, 12:11 p.m.	status_code: 0xffffffff process_identifier: 2584 process_handle: 0x00000220	1	0
NtTerminateProcess Aug. 23, 2021, 12:11 p.m.	status_code: 0xffffffff process_identifier: 2584 process_handle: 0x00000220		0
NtTerminateProcess Aug. 23, 2021, 12:11 p.m.	status_code: 0xffffffff process_identifier: 2584 process_handle: 0x00000220		3221225738

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_ComputerSystemProduct

Communicates with host for which no DNS query was performed (2 events)

host	161.156.67.100
host	45.138.72.167

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2584 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220		3221225496	0
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (27 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2021, 12:12 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 784 manipulating memory of non-child process 2584
NtUnmapViewOfSection Aug. 23, 2021, 12:11 p.m.	base_address: 0x00400000 region_size: 643072 process_identifier: 2584 process_handle: 0x00000220	3221225497	0
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2584 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	3221225496	0

Collects information about installed applications (50 out of 80 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 6.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Delfino G3 (x86) version 3.6.6.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: G2BRUN regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WIZVERA Process Manager 1,0,5,4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:11 p.m.	key_handle: 0x000005dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExW Aug. 23, 2021, 12:12 p.m.	key_handle: 0x000001e8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 called NtSetContextThread to modify thread in remote process 2556
NtSetContextThread Aug. 23, 2021, 12:11 p.m.	registers.eip: 2007957956 registers.esp: 2030400 registers.edi: 0 registers.eax: 4294702 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 2556	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

winlogon.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 572 resumed a thread in remote process 1612
Process injection	Process 784 resumed a thread in remote process 2556
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1612	1	0	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2556	1	0	0

Creates known TeamViewer mutexes and/or registry changes. (2 events)

regkey	HKEY_LOCAL_MACHINE\Software\TeamViewer\Version6\DefaultSettings\
regkey	HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer3

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 23, 2021, 12:12 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 23, 2021, 12:12 p.m.	stacktrace: exception.instruction_r: ed e9 fc 61 03 00 c3 e9 f8 97 fe ff 62 b0 89 77 exception.symbol: new+0x4c20c2 exception.instruction: in eax, dx exception.module: new.exe exception.exception_code: 0xc0000096 exception.offset: 4989122 exception.address: 0x7c20c2 registers.esp: 13171408 registers.edi: 6718945 registers.eax: 1447909480 registers.ebp: 3661824 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

Executed a process and injected code into it, probably while unpacking (43 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2072	1	0
CreateProcessInternalW Aug. 23, 2021, 11:56 a.m.	thread_identifier: 1148 thread_handle: 0x00000244 process_identifier: 572 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /C "C:\Users\test22\AppData\Roaming\fudilul6\9189lt5c.bat" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000248	1	1
CreateProcessInternalW Aug. 23, 2021, 11:56 a.m.	thread_identifier: 1080 thread_handle: 0x00000088 process_identifier: 1612 current_directory: filepath: C:\Users\test22\AppData\Roaming\fudilul6\msci.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\fudilul6\msci.exe" filepath_r: C:\Users\test22\AppData\Roaming\fudilul6\msci.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1612	1	0
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 1612	1	0
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x000019bc suspend_count: 1 process_identifier: 1612	1	0
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x00001b6c suspend_count: 1 process_identifier: 1612	1	0
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x00001b7c suspend_count: 1 process_identifier: 1612	1	0
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x00001c20 suspend_count: 1 process_identifier: 1612	1	0
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x00001c28 suspend_count: 1 process_identifier: 1612	1	0
NtResumeThread Aug. 23, 2021, 11:56 a.m.	thread_handle: 0x00001e24 suspend_count: 1 process_identifier: 1612	1	0
CreateProcessInternalW Aug. 23, 2021, 11:56 a.m.	thread_identifier: 2712 thread_handle: 0x00001edc process_identifier: 784 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\me.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00001ee0	1	1
CreateProcessInternalW Aug. 23, 2021, 11:57 a.m.	thread_identifier: 2988 thread_handle: 0x00000218 process_identifier: 2976 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\bld.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000021c	1	1
CreateProcessInternalW Aug. 23, 2021, 11:58 a.m.	thread_identifier: 2092 thread_handle: 0x00000218 process_identifier: 2968 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\new.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00001bf8	1	1
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 784	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 784	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 784	1	0
CreateProcessInternalW Aug. 23, 2021, 12:11 p.m.	thread_identifier: 2600 thread_handle: 0x0000021c process_identifier: 2584 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\me.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000220	1	1
NtUnmapViewOfSection Aug. 23, 2021, 12:11 p.m.	base_address: 0x00400000 region_size: 643072 process_identifier: 2584 process_handle: 0x00000220		3221225497
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2584 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220		3221225496
CreateProcessInternalW Aug. 23, 2021, 12:11 p.m.	thread_identifier: 2288 thread_handle: 0x0000021c process_identifier: 2556 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\me.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000220	1	1
NtUnmapViewOfSection Aug. 23, 2021, 12:11 p.m.	base_address: 0x00400000 region_size: 2001731584 process_identifier: 2556 process_handle: 0x00000220		3221225497
NtAllocateVirtualMemory Aug. 23, 2021, 12:11 p.m.	process_identifier: 2556 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
NtGetContextThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x0000021c	1	0
NtSetContextThread Aug. 23, 2021, 12:11 p.m.	registers.eip: 2007957956 registers.esp: 2030400 registers.edi: 0 registers.eax: 4294702 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 2556	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x000005d4 suspend_count: 1 process_identifier: 2556	1	0
NtGetContextThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 23, 2021, 12:11 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2556	1	0
CreateProcessInternalW Aug. 23, 2021, 12:11 p.m.	thread_identifier: 1628 thread_handle: 0x00000068 process_identifier: 1636 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bld.exe filepath_r: stack_pivoted: 0 creation_flags: 8 (DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000064	1	1
NtGetContextThread Aug. 23, 2021, 12:12 p.m.	thread_handle: 0xfffffffe	1	0
NtResumeThread Aug. 23, 2021, 12:12 p.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Aug. 23, 2021, 12:12 p.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Aug. 23, 2021, 12:12 p.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Aug. 23, 2021, 12:12 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Aug. 23, 2021, 12:12 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2968	1	0
NtResumeThread Aug. 23, 2021, 12:12 p.m.	thread_handle: 0x00000668 suspend_count: 1 process_identifier: 2968	1	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

MicroWorld-eScan	Trojan.GenericKD.46837833
FireEye	Generic.mg.7a9a32c45303b7be
ALYac	Trojan.GenericKD.46837833
Sangfor	Trojan.Win32.TheRat.gen
K7AntiVirus	Trojan ( 005808dd1 )
K7GW	Trojan ( 005808dd1 )
ESET-NOD32	NSIS/Injector.ANO
TrendMicro-HouseCall	TROJ_GEN.R03FH0CHL21
Kaspersky	HEUR:Trojan-Spy.Win32.TheRat.gen
BitDefender	Trojan.GenericKD.46837833
Avast	Win32:Trojan-gen
Ad-Aware	Trojan.GenericKD.46837833
Sophos	Mal/Generic-S
DrWeb	BackDoor.TeamViewer.263
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.46837833 (B)
APEX	Malicious
Avira	TR/Injector.wccts
MAX	malware (ai score=88)
Microsoft	Trojan:Win32/Tnega!ml
ZoneAlarm	HEUR:Trojan-Spy.Win32.TheRat.gen
GData	Trojan.GenericKD.46837833
Cynet	Malicious (score: 100)
McAfee	Artemis!7A9A32C45303
Malwarebytes	Trojan.Injector.NSIS
Tencent	Win32.Trojan-spy.Therat.Ajvu
Yandex	Trojan.Slntscn24.bVVB1s
eGambit	PE.Heur.InvalidSig
AVG	Win32:Trojan-gen
Panda	Trj/CI.A

fbtc-client.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All