Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 11, 2021, 9:55 a.m.	Oct. 11, 2021, 10:06 a.m.

Size	5.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`583ec7c5fb5616cf290f0f5ec21582d7`
SHA256	`b57dbb7601b0c59ee978d1201f31935c0d869f29c49259a879a627e768cff74c`
CRC32	`9B7C19BB`
ssdeep	`98304:8SiiW/MPTZPY1kzHHS5UyLfgWJaJCUx0yT4z0AYY+nPcMy:ukUkzHy5zf/STbTEv5Kcj`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library

bwmonitor.exe "C:\Users\test22\AppData\Local\Temp\bwmonitor.exe"
1468
- bwmonitor.tmp "C:\Users\test22\AppData\Local\Temp\is-E7MH1.tmp\bwmonitor.tmp" /SL5="$D0240,4523865,831488,C:\Users\test22\AppData\Local\Temp\bwmonitor.exe"
  1684
  - cmd.exe "cmd" /c "start https://iplogger.org/1hWNy7"
    556
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2408
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2408 CREDAT:145409
        2656
  - 1234567.sfx.exe "C:\Program Files (x86)\Bandwidth Monitor\1234567.sfx.exe" -p123 -s1
    560
    - 1234567.exe "C:\Program Files (x86)\Bandwidth Monitor\1234567.exe"
      2056
  - BWMonitor.exe "C:\Program Files (x86)\Bandwidth Monitor\BWMonitor.exe"
    2092
    - hh.exe "C:\Windows\hh.exe" C:\Program Files (x86)\Bandwidth Monitor\BWMonitor.chm
      2544
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
8yfg.federguda.ru	A 81.177.141.85	81.177.141.85
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
40.121.139.210	Active	Moloch
81.177.141.85	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49222 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49222 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.101:49221 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 11, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 11, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 11, 2021, 9:55 a.m.			0	0
IsDebuggerPresent Oct. 11, 2021, 10:04 a.m.			0	0
IsDebuggerPresent Oct. 11, 2021, 10:04 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00721780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00721780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007217c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00721f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00721f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00721dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00722240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007222c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 11, 2021, 10:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007222c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 11, 2021, 10:04 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (18 events)

Time & API	Arguments	Status
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 104854784 registers.edi: 80378668 registers.eax: 104854784 registers.ebp: 104854864 registers.edx: 6508316 registers.ebx: 104855148 registers.esi: 2147746133 registers.ecx: 79933968	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6f98540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6f9852ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6fa60ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 82369128 registers.edi: 1957755408 registers.eax: 82369128 registers.ebp: 82369208 registers.edx: 1 registers.ebx: 6436940 registers.esi: 2147746133 registers.ecx: 2703783662	1
__exception__ Oct. 11, 2021, 10:04 a.m.	stacktrace: 1234567+0x5150b9 @ 0x17c50b9 1234567+0x515168 @ 0x17c5168 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 f3 31 bc 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3734932 registers.edi: 20668416 registers.eax: 3734932 registers.ebp: 3735012 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2000778283 registers.ecx: 1524891648	1
__exception__ Oct. 11, 2021, 10:04 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 99 ff e3 ff exception.symbol: 1234567+0x54d277 exception.instruction: in eax, dx exception.module: 1234567.exe exception.exception_code: 0xc0000096 exception.offset: 5558903 exception.address: 0x17fd277 registers.esp: 3735052 registers.edi: 23343876 registers.eax: 1750617430 registers.ebp: 20668416 registers.edx: 7034966 registers.ebx: 0 registers.esi: 23356498 registers.ecx: 20	1
__exception__ Oct. 11, 2021, 10:04 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: 1234567+0x54d2eb exception.instruction: in eax, dx exception.module: 1234567.exe exception.exception_code: 0xc0000096 exception.offset: 5559019 exception.address: 0x17fd2eb registers.esp: 3735052 registers.edi: 23343876 registers.eax: 1447909480 registers.ebp: 20668416 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 23356498 registers.ecx: 10	1
__exception__ Oct. 11, 2021, 10:04 a.m.	stacktrace: 0x62b2b1 0x62b126 0x625b90 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 15 33 c0 83 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62b3dd registers.esp: 3731632 registers.edi: 3731660 registers.eax: 0 registers.ebp: 3731672 registers.edx: 7243024 registers.ebx: 50624732 registers.esi: 52472624 registers.ecx: 0	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x62e9b7 0x62e8f9 0x62de8b 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731304 registers.edi: 51919876 registers.eax: 0 registers.ebp: 3731372 registers.edx: 91777844 registers.ebx: 51920196 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x62e9b7 0x62e8f9 0x62de8b 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731304 registers.edi: 57896112 registers.eax: 0 registers.ebp: 3731372 registers.edx: 91777844 registers.ebx: 57896432 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x62e9b7 0x62e8f9 0x62de8b 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731304 registers.edi: 58937500 registers.eax: 0 registers.ebp: 3731372 registers.edx: 91777844 registers.ebx: 58937820 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x69026f6 0x6902649 0x62df30 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731296 registers.edi: 59977956 registers.eax: 0 registers.ebp: 3731364 registers.edx: 91777844 registers.ebx: 59978276 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x69026f6 0x6902649 0x62df30 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731296 registers.edi: 52393284 registers.eax: 0 registers.ebp: 3731364 registers.edx: 91777844 registers.ebx: 52393604 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x69026f6 0x6902649 0x62df30 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731296 registers.edi: 53513792 registers.eax: 0 registers.ebp: 3731364 registers.edx: 91777844 registers.ebx: 53514112 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x6902c35 0x6902b89 0x62dfbd 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731300 registers.edi: 54634392 registers.eax: 0 registers.ebp: 3731368 registers.edx: 91777844 registers.ebx: 54634712 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x6902c35 0x6902b89 0x62dfbd 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731300 registers.edi: 55815616 registers.eax: 0 registers.ebp: 3731368 registers.edx: 91777844 registers.ebx: 55815936 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x6902c35 0x6902b89 0x62dfbd 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731300 registers.edi: 52503704 registers.eax: 0 registers.ebp: 3731368 registers.edx: 91777844 registers.ebx: 52504024 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x6903025 0x6902f79 0x62e02e 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731300 registers.edi: 53685008 registers.eax: 0 registers.ebp: 3731368 registers.edx: 91777844 registers.ebx: 53685328 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x6903025 0x6902f79 0x62e02e 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731300 registers.edi: 54868484 registers.eax: 0 registers.ebp: 3731368 registers.edx: 91777844 registers.ebx: 54868804 registers.esi: 0 registers.ecx: 91778464	1
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: 0x6903025 0x6902f79 0x62e02e 0x62d94d 0x62b5e1 0x625b54 0x625830 0x6201a0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6da02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6da1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6da12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6dac74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6dac7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6db51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6db51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6db51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6db5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x6e17f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x6e1f7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x6e1f4de3 exception.instruction_r: 8b 40 04 89 45 c4 33 c0 83 3d 48 33 04 04 00 74 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62ece0 registers.esp: 3731300 registers.edi: 56051960 registers.eax: 0 registers.ebp: 3731368 registers.edx: 91777844 registers.ebx: 56052280 registers.esi: 0 registers.ecx: 91778464	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://8yfg.federguda.ru/

Performs some HTTP requests (4 events)

request	GET http://8yfg.federguda.ru/
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://iplogger.org/1hWNy7
request	GET https://iplogger.org/favicon.ico

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

8yfg.federguda.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 312 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 11, 2021, 9:55 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 9:55 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 9:55 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 9:55 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 9:55 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 9:55 a.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2021, 9:55 a.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 region_size: 14487552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03120000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d53000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76809000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:05 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 region_size: 15142912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d53000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76809000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773fd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75737000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755b8000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Oct. 11, 2021, 9:55 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: C:\Program Files (x86)\Bandwidth Monitor\ total_number_of_bytes: 70707124072		0
GetDiskFreeSpaceExW Oct. 11, 2021, 9:55 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13717430272 root_path: C:\Program Files (x86)\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Oct. 11, 2021, 9:49 a.m.	total_number_of_free_bytes: 13713207296 free_bytes_available: 13713207296 root_path: C:\ total_number_of_bytes: 34252779520	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2408 crashed
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 104854784 registers.edi: 80378668 registers.eax: 104854784 registers.ebp: 104854864 registers.edx: 6508316 registers.ebx: 104855148 registers.esi: 2147746133 registers.ecx: 79933968	1	0	0
__exception__ Oct. 11, 2021, 10:05 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6f98540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6f9852ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6fa60ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 82369128 registers.edi: 1957755408 registers.eax: 82369128 registers.ebp: 82369208 registers.edx: 1 registers.ebx: 6436940 registers.esi: 2147746133 registers.ecx: 2703783662	1	0	0

Application Crash

Process iexplore.exe with pid 2408 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 11, 2021, 10:05 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 104854784
registers.edi: 80378668
registers.eax: 104854784
registers.ebp: 104854864
registers.edx: 6508316
registers.ebx: 104855148
registers.esi: 2147746133
registers.ecx: 79933968

__exception__

Oct. 11, 2021, 10:05 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6f98540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6f9852ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6fa60ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 82369128
registers.edi: 1957755408
registers.eax: 82369128
registers.ebp: 82369208
registers.edx: 1
registers.ebx: 6436940
registers.esi: 2147746133
registers.ecx: 2703783662

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bandwidth Monitor\Bandwidth Monitor.lnk
file	C:\Program Files (x86)\Bandwidth Monitor\1234567.exe

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bandwidth Monitor\Bandwidth Monitor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bandwidth Monitor\Bandwidth Monitor.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops a binary and executes it (1 event)

file	C:\Program Files (x86)\Bandwidth Monitor\1234567.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-E7MH1.tmp\bwmonitor.tmp

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 11, 2021, 10:04 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 11, 2021, 10:04 a.m.	flags: 15 family: 0		111	0

Expresses interest in specific running processes (1 event)

process

system

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (44 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Oct. 11, 2021, 9:55 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1		2
RegOpenKeyExW Oct. 11, 2021, 9:55 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1		2
RegOpenKeyExW Oct. 11, 2021, 9:55 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1		2
RegOpenKeyExW Oct. 11, 2021, 9:55 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1		2
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004d4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: AddressBook base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: Connection Manager base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: DirectDrawEx base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: EditPlus base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: ENTERPRISE base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: Fontcore base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: Google Chrome base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: IE40 base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: IE4Data base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: IE5BAKEX base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: IEData base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: MobileOptionPack base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: SchedulingAgent base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: WIC base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1 base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW Oct. 11, 2021, 10:05 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000004d4 key_handle: 0x000002bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2408 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (2 events)

host	117.18.232.200
host	40.121.139.210

Checks for the presence of known windows from debuggers and forensic tools (50 out of 56 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:04 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Oct. 11, 2021, 10:05 a.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (28 events)

Time & API	Arguments	Status
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Bandwidth Monitor version 3.4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{004EB43E-BD06-4E50-98DE-FD642BD6E9C8}_is1\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Oct. 11, 2021, 10:05 a.m.	key_handle: 0x000002bc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

FireEye	Gen:Variant.Midie.99812
McAfee	Artemis!583EC7C5FB56
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.baaf46
Arcabit	Trojan.Midie.D185E4
BitDefender	Gen:Variant.Midie.99812
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
MicroWorld-eScan	Gen:Variant.Midie.99812
Avast	Win32:Malware-gen
Ad-Aware	Gen:Variant.Midie.99812
Emsisoft	Gen:Variant.Midie.99812 (B)
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
MAX	malware (ai score=87)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Midie.99812
ALYac	Gen:Variant.Midie.99812
AVG	Win32:Malware-gen

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2408 resumed a thread in remote process 2656
NtResumeThread Oct. 11, 2021, 10:04 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2656	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 11, 2021, 10:04 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 11, 2021, 10:04 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: 1234567+0x54d2eb exception.instruction: in eax, dx exception.module: 1234567.exe exception.exception_code: 0xc0000096 exception.offset: 5559019 exception.address: 0x17fd2eb registers.esp: 3735052 registers.edi: 23343876 registers.eax: 1447909480 registers.ebp: 20668416 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 23356498 registers.ecx: 10	1	0	0

Generates some ICMP traffic

bwmonitor.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All