Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 8, 2021, 11:16 a.m.	Oct. 8, 2021, 11:19 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e8a4177eb1ca6ffcb252e7cd2e8b1814`
SHA256	`31b0f01effcb3ceb506694ab49e3f3f9702090a449c2182ab2cfcd969b378f18`
CRC32	`4C4FA7E8`
ssdeep	`12288:OeA04DyL9pD3n+0SN19iMfTO3qKE65aIF8TfEIF3c7u:9O+L7D3+1HTa15DYfEI1+`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) NPKI_Zero - File included NPKI

rundll32.exe "C:\Users\test22\AppData\Local\Temp\rundll32.exe"
732
- rundll32.exe "C:\Users\test22\AppData\Local\Temp\rundll32.exe"
  1316
  - cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1316 & erase C:\Users\test22\AppData\Local\Temp\rundll32.exe & RD /S /Q C:\\ProgramData\\367495499419603\\* & exit
    2548
    - taskkill.exe taskkill /pid 1316
      2444
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
lg-tvproducts.xyz	A 195.133.18.140	195.133.18.140

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.133.18.140	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 195.133.18.140:80 -> 192.168.56.101:49203	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2010067	ET POLICY Data POST to an image file (jpg)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2027108	ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2029236	ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2029846	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2033886	ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 195.133.18.140:80	2031189	ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Oct. 8, 2021, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 8, 2021, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 8, 2021, 11:17 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 8, 2021, 11:16 a.m.			0	0
IsDebuggerPresent Oct. 8, 2021, 11:16 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 8, 2021, 11:17 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1	0
WriteConsoleW Oct. 8, 2021, 11:17 a.m.	buffer: ERROR: The process "1316" not found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 8, 2021, 11:16 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/6.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/1.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/2.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/3.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/4.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/5.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/7.jpg
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/main.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://lg-tvproducts.xyz/

Performs some HTTP requests (9 events)

request	POST http://lg-tvproducts.xyz/6.jpg
request	POST http://lg-tvproducts.xyz/1.jpg
request	POST http://lg-tvproducts.xyz/2.jpg
request	POST http://lg-tvproducts.xyz/3.jpg
request	POST http://lg-tvproducts.xyz/4.jpg
request	POST http://lg-tvproducts.xyz/5.jpg
request	POST http://lg-tvproducts.xyz/7.jpg
request	POST http://lg-tvproducts.xyz/main.php
request	POST http://lg-tvproducts.xyz/

Sends data using the HTTP POST Method (9 events)

request	POST http://lg-tvproducts.xyz/6.jpg
request	POST http://lg-tvproducts.xyz/1.jpg
request	POST http://lg-tvproducts.xyz/2.jpg
request	POST http://lg-tvproducts.xyz/3.jpg
request	POST http://lg-tvproducts.xyz/4.jpg
request	POST http://lg-tvproducts.xyz/5.jpg
request	POST http://lg-tvproducts.xyz/7.jpg
request	POST http://lg-tvproducts.xyz/main.php
request	POST http://lg-tvproducts.xyz/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 66 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73da2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b22000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737cb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724da000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00831000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e664000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e3e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00832000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:16 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d221000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00833000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00834000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00835000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0083a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0083b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0083c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0083d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 8, 2021, 11:11 a.m.	total_number_of_free_bytes: 13726904320 free_bytes_available: 13726904320 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Chromium\User Data\Local State
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Local State

Creates executable files on the filesystem (7 events)

file	C:\ProgramData\sqlite3.dll
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (2 events)

cmdline	cmd.exe /c taskkill /pid 1316 & erase C:\Users\test22\AppData\Local\Temp\rundll32.exe & RD /S /Q C:\\ProgramData\\367495499419603\\* & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 1316 & erase C:\Users\test22\AppData\Local\Temp\rundll32.exe & RD /S /Q C:\\ProgramData\\367495499419603\\* & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\rundll32.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\rundll32.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1316)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 8, 2021, 11:17 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c taskkill /pid 1316 & erase C:\Users\test22\AppData\Local\Temp\rundll32.exe & RD /S /Q C:\\ProgramData\\367495499419603\\* & exit filepath: cmd.exe	1	1	0

An executable file was downloaded by the process rundll32.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1
InternetReadFile Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù£NEÍEÍEÍñ"GÍLà^NÍEÌlÍúÉUÍúÎVÍúÈAÍúÅ_ÍúÍDÍú2DÍúÏDÍRichEÍPEL8'Yà"!ê ® @¼@A°ð À H?0 °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc 0ü@B request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 8, 2021, 11:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 8, 2021, 11:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Oct. 8, 2021, 11:17 a.m.	regkey_r: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 8, 2021, 11:17 a.m.	status_code: 0xffffffff process_identifier: 2408 process_handle: 0x000002d0		0	0
NtTerminateProcess Oct. 8, 2021, 11:17 a.m.	status_code: 0xffffffff process_identifier: 2408 process_handle: 0x000002d0	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c taskkill /pid 1316 & erase C:\Users\test22\AppData\Local\Temp\rundll32.exe & RD /S /Q C:\\ProgramData\\367495499419603\\* & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /pid 1316 & erase C:\Users\test22\AppData\Local\Temp\rundll32.exe & RD /S /Q C:\\ProgramData\\367495499419603\\* & exit
cmdline	taskkill /pid 1316

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 2408 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ec		3221225496	0
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1316 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000314	1	0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (19 events)

file	C:\Users\test22\AppData\Roaming\Bitcoin\
file	C:\Users\test22\AppData\Roaming\Electrum\wallets\
file	C:\Users\test22\AppData\Roaming\Litecoin\
file	C:\Users\test22\AppData\Roaming\Namecoin\
file	C:\Users\test22\AppData\Roaming\Terracoin\
file	C:\Users\test22\AppData\Roaming\Primecoin\
file	C:\Users\test22\AppData\Roaming\Freicoin\
file	C:\Users\test22\AppData\Roaming\devcoin\
file	C:\Users\test22\AppData\Roaming\Franko\
file	C:\Users\test22\AppData\Roaming\Megacoin\
file	C:\Users\test22\AppData\Roaming\Infinitecoin\
file	C:\Users\test22\AppData\Roaming\Ixcoin\
file	C:\Users\test22\AppData\Roaming\Anoncoin\
file	C:\Users\test22\AppData\Roaming\BBQCoin\
file	C:\Users\test22\AppData\Roaming\digitalcoin\
file	C:\Users\test22\AppData\Roaming\Mincoin\
file	C:\Users\test22\AppData\Roaming\GoldCoin (GLD)\
file	C:\Users\test22\AppData\Roaming\YACoin\
file	C:\Users\test22\AppData\Roaming\Florincoin\

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\rundll32.exe

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 manipulating memory of non-child process 2408
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 2408 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ec		3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $; ü_ZN¯_ZN¯_ZN¯ÌÖ¯^ZN¯0,Ð¯GZN¯0,ä¯ÙZN¯0,å¯lZN¯V"Í¯]ZN¯V"Ý¯XZN¯_ZO¯3ZN¯0,á¯TZN¯0,Ó¯^ZN¯Rich_ZN¯PEL¡Ü_à Zö{qp@@dèPP\!Ù@p.text#YZ `.rdataxp^@@.data(Dà@À.reloc,P.ò@B base_address: 0x00400000 process_identifier: 1316 process_handle: 0x00000314	1	1	0
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1316 process_handle: 0x00000314	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $; ü_ZN¯_ZN¯_ZN¯ÌÖ¯^ZN¯0,Ð¯GZN¯0,ä¯ÙZN¯0,å¯lZN¯V"Í¯]ZN¯V"Ý¯XZN¯_ZO¯3ZN¯0,á¯TZN¯0,Ó¯^ZN¯Rich_ZN¯PEL¡Ü_à Zö{qp@@dèPP\!Ù@p.text#YZ `.rdataxp^@@.data(Dà@À.reloc,P.ò@B base_address: 0x00400000 process_identifier: 1316 process_handle: 0x00000314	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Oct. 8, 2021, 11:17 a.m.	key_handle: 0x00000324 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
McAfee	Artemis!E8A4177EB1CA
Cylance	Unsafe
Cybereason	malicious.75cf1b
Symantec	Scr.Malcode!gdn30
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition	BehavesLike.Win32.Fareit.tm
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/AveMaria.GV!MTB
GData	Win32.Trojan.OskiStealer.DCE3XS
eGambit	Unsafe.AI_Score_95%
Fortinet	MSIL/GenKryptik.FLPG!tr
CrowdStrike	win/malicious_confidence_90% (W)

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 called NtSetContextThread to modify thread in remote process 1316
NtSetContextThread Oct. 8, 2021, 11:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4223355 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d0 process_identifier: 1316	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 resumed a thread in remote process 1316
NtResumeThread Oct. 8, 2021, 11:17 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 1316	1	0	0

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 8, 2021, 11:16 a.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Oct. 8, 2021, 11:16 a.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 732	1	0
NtResumeThread Oct. 8, 2021, 11:16 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 732	1	0
CreateProcessInternalW Oct. 8, 2021, 11:17 a.m.	thread_identifier: 1632 thread_handle: 0x00000304 process_identifier: 2408 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rundll32.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\rundll32.exe stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ec	1	1
NtGetContextThread Oct. 8, 2021, 11:17 a.m.	thread_handle: 0x00000304	1	0
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 2408 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ec		3221225496
CreateProcessInternalW Oct. 8, 2021, 11:17 a.m.	thread_identifier: 1760 thread_handle: 0x000002d0 process_identifier: 1316 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rundll32.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\rundll32.exe stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000314	1	1
NtGetContextThread Oct. 8, 2021, 11:17 a.m.	thread_handle: 0x000002d0	1	0
NtAllocateVirtualMemory Oct. 8, 2021, 11:17 a.m.	process_identifier: 1316 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000314	1	0
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $; ü_ZN¯_ZN¯_ZN¯ÌÖ¯^ZN¯0,Ð¯GZN¯0,ä¯ÙZN¯0,å¯lZN¯V"Í¯]ZN¯V"Ý¯XZN¯_ZO¯3ZN¯0,á¯TZN¯0,Ó¯^ZN¯Rich_ZN¯PEL¡Ü_à Zö{qp@@dèPP\!Ù@p.text#YZ `.rdataxp^@@.data(Dà@À.reloc,P.ò@B base_address: 0x00400000 process_identifier: 1316 process_handle: 0x00000314	1	1
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: base_address: 0x00401000 process_identifier: 1316 process_handle: 0x00000314	1	1
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: base_address: 0x00427000 process_identifier: 1316 process_handle: 0x00000314	1	1
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: base_address: 0x00430000 process_identifier: 1316 process_handle: 0x00000314	1	1
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: base_address: 0x00435000 process_identifier: 1316 process_handle: 0x00000314	1	1
WriteProcessMemory Oct. 8, 2021, 11:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1316 process_handle: 0x00000314	1	1
NtSetContextThread Oct. 8, 2021, 11:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4223355 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d0 process_identifier: 1316	1	0
NtResumeThread Oct. 8, 2021, 11:17 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 1316	1	0
CreateProcessInternalW Oct. 8, 2021, 11:17 a.m.	thread_identifier: 2220 thread_handle: 0x0000044c process_identifier: 2548 current_directory: C:\ProgramData filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c taskkill /pid 1316 & erase C:\Users\test22\AppData\Local\Temp\rundll32.exe & RD /S /Q C:\\ProgramData\\367495499419603\\* & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000450	1	1
CreateProcessInternalW Oct. 8, 2021, 11:17 a.m.	thread_identifier: 2216 thread_handle: 0x00000084 process_identifier: 2444 current_directory: C:\ProgramData filepath: C:\Windows\System32\taskkill.exe track: 1 command_line: taskkill /pid 1316 filepath_r: C:\Windows\system32\taskkill.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

rundll32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All