Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 6, 2021, 6 p.m.	Sept. 6, 2021, 6:10 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b23d6c569893579789695f3d05accbe1`
SHA256	`93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c`
CRC32	`9FA407F3`
ssdeep	`24576:ckJ57Lut19vrBg9qm+BZkvgt7DYOl+FbSoLCwcpN5tgLG6OI8mMe2WLPFouz:T7LG1V/dBZkY1Yo+X+tgLGPi2WLPFou`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description)

ghjkl.exe "C:\Users\test22\AppData\Local\Temp\ghjkl.exe"
1764
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  1660
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2848
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  276
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  816
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2136
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2328
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2272
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  508
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2748
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2968
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs"
  1376
  - Oggnfkemtibcinconsoleapp16.exe "C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"
    2308
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2760
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2988
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      1784
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2168
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      656
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2332
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2504
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      1636
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      900
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      1788
- ghjkl.exe C:\Users\test22\AppData\Local\Temp\ghjkl.exe
  932
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
telete.in	A 195.201.225.248	195.201.225.248
google.com	A 216.58.197.238	172.217.175.78

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.201.225.248	Active	Moloch
216.58.197.238	Active	Moloch
45.142.215.237	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49179 -> 195.201.225.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.215.237:80 -> 192.168.56.102:49190	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.142.215.237:80 -> 192.168.56.102:49190	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.142.215.237:80 -> 192.168.56.102:49190	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49179 195.201.225.248:443	C=US, O=Let's Encrypt, CN=R3	CN=telecut.in	be:a6:3d:e8:93:c3:13:0b:5f:1d:3a:f7:63:57:4c:39:0e:96:df:5e

Queries for the computername (50 out of 190 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 6, 2021, 6 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (24 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0
IsDebuggerPresent Sept. 6, 2021, 6 p.m.			0	0

Command line console output was observed (50 out of 78 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 6, 2021, 6 p.m.	buffer: TEST22-PC google.com 216.58.197.238 {} console_handle: 0x00000033	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 866 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f4d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f5498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f5498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b97c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b97c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b97c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b96c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b96c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b96c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b96c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b96c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b96c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b90c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b90c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b90c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b92c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b9288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b8c88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0609e608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0609fff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0609fff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00741b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007427a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007427a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 6, 2021, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007427a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales\ru.pak
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 6, 2021, 6 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 6, 2021, 6 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x6f4b35 0x6f4aaa 0x6f2385 0x6f1d3b 0x6f0285 0x6630f97 system+0x1d3f63 @ 0x6f573f63 0x79fc27 0x79e30c system+0x19c522 @ 0x70c3c522 system+0x19e920 @ 0x70c3e920 system+0x19e803 @ 0x70c3e803 0x791509 system+0x1f9799 @ 0x70c99799 system+0x1f92c8 @ 0x70c992c8 system+0x1eca74 @ 0x70c8ca74 system+0x1ec868 @ 0x70c8c868 system+0x1f82b8 @ 0x70c982b8 system+0x1ee54d @ 0x70c8e54d system+0x1f70ea @ 0x70c970ea system+0x1e56c0 @ 0x70c856c0 system+0x1f8215 @ 0x70c98215 system+0x1f6f75 @ 0x70c96f75 system+0x1ee251 @ 0x70c8e251 system+0x1ee229 @ 0x70c8e229 system+0x1ee170 @ 0x70c8e170 0x42a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x70c8bc85 system+0x1f683b @ 0x70c9683b system+0x1a5e44 @ 0x70c45e44 system+0x1fd8a0 @ 0x70c9d8a0 system+0x1fd792 @ 0x70c9d792 system+0x1a14bd @ 0x70c414bd 0x790088 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7410f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d67f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d64de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 2287240 registers.edi: 1969676232 registers.eax: 16973824 registers.ebp: 2287444 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0
__exception__ Sept. 6, 2021, 6 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x6f4b35 0x6f4aaa 0x6f2385 0x6f1d3b 0x6f0285 0x6630f97 system+0x1d3f63 @ 0x6f573f63 0x79fc27 0x79e30c system+0x19c522 @ 0x70c3c522 system+0x19e920 @ 0x70c3e920 system+0x19e803 @ 0x70c3e803 0x791509 system+0x1f9799 @ 0x70c99799 system+0x1f92c8 @ 0x70c992c8 system+0x1eca74 @ 0x70c8ca74 system+0x1ec868 @ 0x70c8c868 system+0x1f82b8 @ 0x70c982b8 system+0x1ee54d @ 0x70c8e54d system+0x1f70ea @ 0x70c970ea system+0x1e56c0 @ 0x70c856c0 system+0x1f8215 @ 0x70c98215 system+0x1f6f75 @ 0x70c96f75 system+0x1ee251 @ 0x70c8e251 system+0x1ee229 @ 0x70c8e229 system+0x1ee170 @ 0x70c8e170 0x42a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a system+0x1ebc85 @ 0x70c8bc85 system+0x1f683b @ 0x70c9683b system+0x1a5e44 @ 0x70c45e44 system+0x1fd8a0 @ 0x70c9d8a0 system+0x1fd792 @ 0x70c9d792 system+0x1a14bd @ 0x70c414bd 0x790088 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7410f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d67f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d64de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 2287240 registers.edi: 1969676232 registers.eax: 11010048 registers.ebp: 2287444 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 6, 2021, 6 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e
0x6f4b35
0x6f4aaa
0x6f2385
0x6f1d3b
0x6f0285
0x6630f97
system+0x1d3f63 @ 0x6f573f63
0x79fc27
0x79e30c
system+0x19c522 @ 0x70c3c522
system+0x19e920 @ 0x70c3e920
system+0x19e803 @ 0x70c3e803
0x791509
system+0x1f9799 @ 0x70c99799
system+0x1f92c8 @ 0x70c992c8
system+0x1eca74 @ 0x70c8ca74
system+0x1ec868 @ 0x70c8c868
system+0x1f82b8 @ 0x70c982b8
system+0x1ee54d @ 0x70c8e54d
system+0x1f70ea @ 0x70c970ea
system+0x1e56c0 @ 0x70c856c0
system+0x1f8215 @ 0x70c98215
system+0x1f6f75 @ 0x70c96f75
system+0x1ee251 @ 0x70c8e251
system+0x1ee229 @ 0x70c8e229
system+0x1ee170 @ 0x70c8e170
0x42a08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a
system+0x1ebc85 @ 0x70c8bc85
system+0x1f683b @ 0x70c9683b
system+0x1a5e44 @ 0x70c45e44
system+0x1fd8a0 @ 0x70c9d8a0
system+0x1fd792 @ 0x70c9d792
system+0x1a14bd @ 0x70c414bd
0x790088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7410f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d67f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d64de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x76a6b479
registers.esp: 2287240
registers.edi: 1969676232
registers.eax: 16973824
registers.ebp: 2287444
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Sept. 6, 2021, 6 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e
0x6f4b35
0x6f4aaa
0x6f2385
0x6f1d3b
0x6f0285
0x6630f97
system+0x1d3f63 @ 0x6f573f63
0x79fc27
0x79e30c
system+0x19c522 @ 0x70c3c522
system+0x19e920 @ 0x70c3e920
system+0x19e803 @ 0x70c3e803
0x791509
system+0x1f9799 @ 0x70c99799
system+0x1f92c8 @ 0x70c992c8
system+0x1eca74 @ 0x70c8ca74
system+0x1ec868 @ 0x70c8c868
system+0x1f82b8 @ 0x70c982b8
system+0x1ee54d @ 0x70c8e54d
system+0x1f70ea @ 0x70c970ea
system+0x1e56c0 @ 0x70c856c0
system+0x1f8215 @ 0x70c98215
system+0x1f6f75 @ 0x70c96f75
system+0x1ee251 @ 0x70c8e251
system+0x1ee229 @ 0x70c8e229
system+0x1ee170 @ 0x70c8e170
0x42a08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75576de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75576e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77af011a
system+0x1ebc85 @ 0x70c8bc85
system+0x1f683b @ 0x70c9683b
system+0x1a5e44 @ 0x70c45e44
system+0x1fd8a0 @ 0x70c9d8a0
system+0x1fd792 @ 0x70c9d792
system+0x1a14bd @ 0x70c414bd
0x790088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7410f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d67f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d64de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x76a6b479
registers.esp: 2287240
registers.edi: 1969676232
registers.eax: 11010048
registers.ebp: 2287444
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.142.215.237/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/38f584651402b87b6e658beea19bc3711efb647c
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/e1f57414f8caba2ca5e4d8fa52512fb00d1a14f8
suspicious_features	GET method with no useragent header	suspicious_request	GET https://telete.in/brikitiki

Performs some HTTP requests (4 events)

request	POST http://45.142.215.237/
request	GET http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/38f584651402b87b6e658beea19bc3711efb647c
request	GET http://45.142.215.237//l/f/nxZPunsBPvGyIjkLqZcB/e1f57414f8caba2ca5e4d8fa52512fb00d1a14f8
request	GET https://telete.in/brikitiki

Sends data using the HTTP POST Method (1 event)

request

POST http://45.142.215.237/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 3137 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70822000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0663f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07d01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07d0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06631000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 1660 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Sept. 6, 2021, 6:01 p.m.	number_of_free_clusters: 2668371 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 6, 2021, 6:01 p.m.	number_of_free_clusters: 2666991 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 6, 2021, 6:01 p.m.	number_of_free_clusters: 2666991 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 6, 2021, 6:01 p.m.	number_of_free_clusters: 2666991 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 130 events)

file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\index-dir
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\reports\8dc74f67-39b6-4058-9ac1-6f782fcd0d62.dmp
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Last Session
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache\index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\index.txt
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Favicons
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\52eca80efb7ea8c5_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0

Creates executable files on the filesystem (50 out of 63 events)

file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32_InUse.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ldif60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.pyw.lnk
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\dd81b5e9d99588633b73117e3b1f84f1a6952f9d573057d804047a85abfb8328_1609fbf0d6c26e---38596704027.pdf.lnk
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-string-l1-1-0.dll

Creates a shortcut to an executable file (50 out of 126 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\msi2.png.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Excel 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint\Microsoft SharePoint Workspace 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\exe1.zip.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\test.eml.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Word 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Access 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft InfoPath Filler 2010.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\ok1.png.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\IDLE (Python GUI).lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\³ª¶óÀåÅÍ\G2BSTOP.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\³ª¶óÀåÅÍ\G2BRUN.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\Automation Examples.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\robot2.png.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Automation Reference.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\³ª¶óÀåÅÍ\Uninstall.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\doc.png.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\dd81b5e9d99588633b73117e3b1f84f1a6952f9d573057d804047a85abfb8328_1609fbf0d6c26e---38596704027.pdf.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft OneNote 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\robot3.png.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\msoffice2010_32bit.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\doc2.png.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click_image.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\robot.png.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Studio.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\KMSAuto_Net_2015_v1.4. 2.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\docx2.png.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
cmdline	powershell Test-Connection -ComputerName google.com

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs
file	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

Drops an executable to the user AppData folder (50 out of 58 events)

file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nss3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_PingStatus where ((Address='google.com') And TimeToLive=80 And BufferSize=32)

A process created a hidden window (20 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 6, 2021, 6 p.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 6, 2021, 6:01 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0014a600', u'virtual_address': u'0x00002000', u'entropy': 7.995324654729699, u'name': u'.text', u'virtual_size': u'0x0014a4c4'}

entropy

7.99532465473

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0001a800', u'virtual_address': u'0x0014e000', u'entropy': 7.596371189031652, u'name': u'.rsrc', u'virtual_size': u'0x0001a7bc'}

entropy

7.59637118903

description

A section with a high entropy has been found

entropy

0.999649859944

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (22 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 6, 2021, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (11 events)

description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 61 events)

Time & API	Arguments	Status
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000164 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6 base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1 base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1 base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1 base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Sept. 6, 2021, 6:01 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000006a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1

Terminates another process (40 events)

Time & API	Arguments	Status
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 1660 process_handle: 0x00000440
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 1660 process_handle: 0x00000440	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2848 process_handle: 0x00000448
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2848 process_handle: 0x00000448	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 276 process_handle: 0x00000460
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 276 process_handle: 0x00000460	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 816 process_handle: 0x0000047c
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 816 process_handle: 0x0000047c	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2136 process_handle: 0x00000494
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2136 process_handle: 0x00000494	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2328 process_handle: 0x000004ac
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2328 process_handle: 0x000004ac	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2272 process_handle: 0x000004c4
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2272 process_handle: 0x000004c4	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 508 process_handle: 0x000004dc
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 508 process_handle: 0x000004dc	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2748 process_handle: 0x000004f4
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2748 process_handle: 0x000004f4	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2968 process_handle: 0x0000050c
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2968 process_handle: 0x0000050c	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00000428
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00000428	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2988 process_handle: 0x00000440
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2988 process_handle: 0x00000440	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 1784 process_handle: 0x00000458
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 1784 process_handle: 0x00000458	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2168 process_handle: 0x00000474
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2168 process_handle: 0x00000474	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 656 process_handle: 0x0000048c
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 656 process_handle: 0x0000048c	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2332 process_handle: 0x000004a4
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2332 process_handle: 0x000004a4	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2504 process_handle: 0x000004bc
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 2504 process_handle: 0x000004bc	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 1636 process_handle: 0x000004d4
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 1636 process_handle: 0x000004d4	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 900 process_handle: 0x000004ec
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 900 process_handle: 0x000004ec	1
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 1788 process_handle: 0x00000504
NtTerminateProcess Sept. 6, 2021, 6 p.m.	status_code: 0xffffffff process_identifier: 1788 process_handle: 0x00000504	1

Communicates with host for which no DNS query was performed (1 event)

host

45.142.215.237

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 932 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0

Attempts to identify installed AV products by installation directory (13 events)

file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support
file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt
file	C:\ProgramData\Microsoft\Microsoft Antimalware
file	C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.etl
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Install.log
file	C:\ProgramData\Microsoft\Microsoft Security Client
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\Application.etl
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.log
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Uninstall.log
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support
file	C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl

Attempts to detect Cuckoo Sandbox through the presence of a file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.py
file	C:\Python27\agent.pyw

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 6, 2021, 6 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 932 process_handle: 0x000004a4	1	1	0
WriteProcessMemory Sept. 6, 2021, 6 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 932 process_handle: 0x000004a4	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 6, 2021, 6 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 932 process_handle: 0x000004a4	1	1	0

Collects information about installed applications (42 events)

Time & API	Arguments	Status
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 6.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Delfino G3 (x86) version 3.6.6.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: G2BRUN regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WIZVERA Process Manager 1,0,5,4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: iniLINE CrossEX Service regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\iniLINE_CrossEX\DisplayName	1
RegQueryValueExA Sept. 6, 2021, 6:01 p.m.	key_handle: 0x000006a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: iniLINE CrossEX Service regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\iniLINE_CrossEX\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password2
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1764 called NtSetContextThread to modify thread in remote process 932
NtSetContextThread Sept. 6, 2021, 6 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4454519 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 932	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
parent_process	wscript.exe				martian_process	"C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 79 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Python27\tcl\tcl8.5\encoding\euc-cn.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-3.enc
file	C:\Python27\tcl\tcl8.5\encoding\ascii.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp857.enc
file	C:\Python27\tcl\tcl8.5\encoding\macIceland.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1254.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-8.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp860.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp863.enc
file	C:\Python27\tcl\tcl8.5\encoding\ksc5601.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-kr.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0212.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1255.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-2.enc
file	C:\Python27\tcl\tcl8.5\encoding\macGreek.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1256.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp949.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp437.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp775.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-14.enc
file	C:\Python27\tcl\tcl8.5\encoding\big5.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp950.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso2022-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp869.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-5.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-9.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp874.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRoman.enc
file	C:\Python27\tcl\tcl8.5\encoding\gb1988.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-15.enc
file	C:\Python27\tcl\tcl8.5\encoding\macDingbats.enc
file	C:\Python27\tcl\tcl8.5\encoding\macThai.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp865.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0201.enc
file	C:\Python27\tcl\tcl8.5\encoding\macCentEuro.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp850.enc
file	C:\Python27\tcl\tcl8.5\encoding\shiftjis.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1251.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0208.enc
file	C:\Python27\tcl\tcl8.5\encoding\macUkraine.enc
file	C:\Python27\tcl\tcl8.5\encoding\macTurkish.enc
file	C:\Python27\tcl\tcl8.5\encoding\macCyrillic.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-1.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRomania.enc
file	C:\Python27\tcl\tcl8.5\encoding\ebcdic.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-4.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1250.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp862.enc

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1764 resumed a thread in remote process 932
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 932	1	0	0

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW Sept. 6, 2021, 6:01 p.m.	net_type: 0x00250000		1222	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 out of 148 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1764	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1764	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1764	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 1764	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 896 thread_handle: 0x00000414 process_identifier: 1660 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000424	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 2792 thread_handle: 0x00000420 process_identifier: 2848 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000444	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 2540 thread_handle: 0x00000444 process_identifier: 276 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000045c	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x00000450 suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 1580 thread_handle: 0x00000458 process_identifier: 816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x0000046c suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 2076 thread_handle: 0x00000478 process_identifier: 2136 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000490	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 1768 thread_handle: 0x00000490 process_identifier: 2328 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004a8	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x0000049c suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 928 thread_handle: 0x000004a8 process_identifier: 2272 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004c0	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000004b4 suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 2408 thread_handle: 0x000004c0 process_identifier: 508 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004d8	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 3000 thread_handle: 0x000004d8 process_identifier: 2748 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004f0	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000004e4 suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 264 thread_handle: 0x000004f0 process_identifier: 2968 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000508	1	1
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 1764	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1764	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1764	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1764	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1764	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1764	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1764	1	0
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 2140 thread_handle: 0x0000043c process_identifier: 1376 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000038c	1	1
CreateProcessInternalW Sept. 6, 2021, 6 p.m.	thread_identifier: 1768 thread_handle: 0x000002b0 process_identifier: 932 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ghjkl.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004a4	1	1
NtGetContextThread Sept. 6, 2021, 6 p.m.	thread_handle: 0x000002b0	1	0
NtAllocateVirtualMemory Sept. 6, 2021, 6 p.m.	process_identifier: 932 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0
WriteProcessMemory Sept. 6, 2021, 6 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $G[¡:ÏÉ:ÏÉ:ÏÉXRÌÈ:ÏÉXRÊÈ¿:ÏÉXRÈÈ:ÏÉQOËÈ:ÏÉQOÌÈ:ÏÉQOÊÈS:ÏÉXRËÈ:ÏÉXRÉÈ:ÏÉXRÎÈ:ÏÉ:ÎÉð:ÏÉ[OÆÈ:ÏÉ[OÍÈ:ÏÉRich:ÏÉPELìraà¢@wøÀ@ @BÀüQÈÔ8Õ@À°.text ¢ `.rdataâÀ¦@@.dataT`F>@À.relocüQÀR@B base_address: 0x00400000 process_identifier: 932 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 6, 2021, 6 p.m.	buffer: base_address: 0x00401000 process_identifier: 932 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 6, 2021, 6 p.m.	buffer: base_address: 0x0046c000 process_identifier: 932 process_handle: 0x000004a4	1	1

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37527736
FireEye	Generic.mg.b23d6c5698935797
ALYac	Trojan.GenericKD.37527736
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/MSIL_Kryptik.DWR.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ACRJ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Chapak.gen
BitDefender	Trojan.GenericKD.37527736
Avast	Win32:MalwareX-gen [Trj]
Tencent	Msil.Trojan.Chapak.Pcin
Ad-Aware	Trojan.GenericKD.37527736
Sophos	Mal/Generic-S
Comodo	Malware@#2v9cxq8ha77ru
DrWeb	Trojan.Siggen15.5066
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.37527736 (B)
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.TE
Avira	TR/Chapak.ichjn
Antiy-AVL	Trojan/Generic.ASMalwS.348B6E4
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:Win32/AgentTesla!ml
GData	Trojan.GenericKD.37527736
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MalwareX-gen.C4622882
McAfee	AgentTesla-FDCV!B23D6C569893
MAX	malware (ai score=94)
Malwarebytes	Spyware.RaccoonStealer
Ikarus	Trojan.SuspectCRC
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ACNM!tr
BitDefenderTheta	Gen:NN.ZemsilF.34126.zn0@aS4NWFi
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.985001
Panda	Trj/GdSda.A

The processes powershell.exe, wscript.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\SysWOW64\wscript.exe
file	C:\Users\test22\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

ghjkl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All