Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 29, 2021, 9:25 a.m.	Oct. 29, 2021, 9:40 a.m.

Size	423.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e574ad4af9b6fc033fdf0b54ca7bf014`
SHA256	`aac10de776b17f3ca3aeb885077a2d102f8bd07ae71ffd49e818cabb6a88173a`
CRC32	`C977F374`
ssdeep	`6144:tGSJuACKe4j1+GG2KXwdG6oD+fT43HeR+ZMATjDp8Zr5NvCn1cFw:tGtACKe4Z+ighD+L22ATjCZHvCnS`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

fed.exe "C:\Users\test22\AppData\Local\Temp\fed.exe"
2480
- fed.exe "C:\Users\test22\AppData\Local\Temp\fed.exe"
  2596
  - cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "fed.exe"
    3020
    - timeout.exe C:\Windows\system32\timeout.exe 3
      2752

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.133.1.13	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 45.133.1.13:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 45.133.1.13:80 -> 192.168.56.103:49169	2029136	ET MALWARE AZORult v3.3 Server Response M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 45.133.1.13:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 45.133.1.13:80	2016858	ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 239 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 29, 2021, 9:25 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\fed.exe console_handle: 0x00000007	1	1
WriteConsoleW Oct. 29, 2021, 9:25 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 29, 2021, 9:25 a.m.	buffer: Waiting for 3 console_handle: 0x00000007	1	1
WriteConsoleW Oct. 29, 2021, 9:25 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 29, 2021, 9:25 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://45.133.1.13/xsaz/index.php

Performs some HTTP requests (1 event)

request

POST http://45.133.1.13/xsaz/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://45.133.1.13/xsaz/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 64 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b69000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02071000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02076000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02081000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02086000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0208b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02121000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02127000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02151000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02157000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02101000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02106000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

fed.exe tried to sleep 296 seconds, actually delayed analysis time by 296 seconds

Steals private information from local Internet browsers (50 out of 144 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\Web Data

Creates executable files on the filesystem (48 events)

file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nssdbm3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-handle-l1-1-0.dll

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "fed.exe"
cmdline	C:\Windows\System32\cmd.exe /c C:\Windows\system32\timeout.exe 3 & del "fed.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\fed.exe

Drops an executable to the user AppData folder (49 events)

file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\fed.exe
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\nssdbm3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E1070B8B\api-ms-win-crt-process-l1-1-0.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 29, 2021, 9:25 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c C:\Windows\system32\timeout.exe 3 & del "fed.exe" filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (36 events)

Time & API	Arguments	Status	Return
Process32FirstW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: [System Process] process_identifier: 0	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: System process_identifier: 4	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: smss.exe process_identifier: 232	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: csrss.exe process_identifier: 312	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: wininit.exe process_identifier: 340	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: winlogon.exe process_identifier: 404	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: services.exe process_identifier: 440	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: lsass.exe process_identifier: 456	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: lsm.exe process_identifier: 464	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 792	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 836	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 988	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 348	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: spoolsv.exe process_identifier: 1032	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 1084	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: taskhost.exe process_identifier: 1152	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 1372	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: sppsvc.exe process_identifier: 1676	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: svchost.exe process_identifier: 1748	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: dwm.exe process_identifier: 1900	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: explorer.exe process_identifier: 1924	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: pw.exe process_identifier: 2016	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: SearchIndexer.exe process_identifier: 1180	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: SearchFilterHost.exe process_identifier: 1124	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: mobsync.exe process_identifier: 2880	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: pw.exe process_identifier: 2936	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: taskhost.exe process_identifier: 3064	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: SearchProtocolHost.exe process_identifier: 2276	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: fed.exe process_identifier: 2480	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: fed.exe process_identifier: 2596	1	1
Process32NextW Oct. 29, 2021, 9:25 a.m.	snapshot_handle: 0x000002dc process_name: WmiPrvSE.exe process_identifier: 2132	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 29, 2021, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (17 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 102 events)

Time & API	Arguments	Status
RegOpenKeyExA Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000033c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000340 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000344 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000348 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x0000034c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000350 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000354 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000358 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000035c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000360 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000364 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000036c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000370 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000374 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000378 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000037c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000380 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000384 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000388 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000038c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000390 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000394 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000398 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000003a0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003a4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000003a8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000003ac options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000003b0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x000003b4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x000003b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003bc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000003c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000003c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000003cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000003d0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000003d4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000003d8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000003dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000003e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000003e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000003e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000003ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000003f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000003f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Oct. 29, 2021, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000003fc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "fed.exe"
cmdline	C:\Windows\System32\cmd.exe /c C:\Windows\system32\timeout.exe 3 & del "fed.exe"

Communicates with host for which no DNS query was performed (1 event)

host

45.133.1.13

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2596 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (22 events)

file	C:\Users\test22\AppData\Roaming\EditPlus\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\EditPlus\wallet.dat
file	C:\Users\test22\AppData\Roaming\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Thunderbird\wallets\wallet.dat
file	C:\Users\test22\AppData\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Sun\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Identities\wallet.dat
file	C:\Users\test22\AppData\Roaming\Identities\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Macromedia\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Microsoft\wallet.dat
file	C:\Users\test22\AppData\Roaming\HNC\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Adobe\wallet.dat
file	C:\Users\test22\AppData\Roaming\Mozilla\wallet.dat
file	C:\Users\test22\AppData\Roaming\Adobe\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Sun\wallet.dat
file	C:\Users\test22\AppData\Roaming\HNC\wallet.dat
file	C:\Users\test22\AppData\Roaming\wallet.dat
file	C:\Users\test22\AppData\Roaming\Thunderbird\wallet.dat
file	C:\Users\test22\AppData\wallet.dat
file	C:\Users\test22\AppData\Roaming\Microsoft\wallets\wallet.dat
file	C:\Users\test22\AppData\Roaming\Macromedia\wallet.dat
file	C:\Users\test22\AppData\Roaming\Mozilla\wallets\wallet.dat

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\filezilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2596 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ7ÖØ7ÖsØ$ÓØ$nsØ7sØ7sØ$ÓØ$nsØ$ÓØ$nsØ7sØ$ÓsØXØ'ÔØÓsØXÖØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØ1âÜEª®;Ó7¡X°rwÛ4¶2P{næ¼¤åÅ©?neêÂáC0D,Þ¼ø©Q×fÍ«^ìí7î8lÍÊnn\~JÊ[¹ÝÑª;rÌµÑp× ¸ÕÁ¬±øÀ&îÚÁá {O£Mé±ÃµÚ3}_Ë>«®ËQ ÛîM`°éVÜ»hçÆsÂ5 £ñp$ÀÅIôËÆÉøsÊQËÅÜ£-«VÐ8ëËý7¡~(]- ð¤ô×§sö®">ÝÏ,w»ßúù;m Öm¶ä+¥S±¶~(Ãóù¿Y§É'c¨C©¸iö<8ÀFÍb¬N÷ëÝ³9áàñ.¢6âB©mmÜý!'j%¼¬!ÊgØ¾S×j¼=oÕmåÀXô×`-d-Ð·öÀUã+Öì/Þl'¸cc+³x¸»ª:âq¨Éâ)§¿< üTìaúÛR^Ò<±ªF ¹»åöÑ\|°</õ};¯Jõaàvü:6)ïu{ø1Öãá"õ¹tzA ódÑn¢Y+ç¼R¿ëÀ Äó9xW/hÒk'÷¢ä¨©+UÖ^Â,'äa ³ä6Í Ðz ¢ÏìeÃ÷½ÚBúh´ìuL/IØpbxMÁÔò-%èZ°ÆcëÏÅ²\|ß [.ÝX,^ÃÇ#ÉÆöB.;ÄÊ\ èÅ° ?óè·þ%ø&]ÎëþaÈ¾°»9SÜÎ¨ú#tîÃ¦Á/àÐaI¤k×ié %æë!U²Ô°nØW$¯é)îK7c½"¨g J¹ì¿ÕÆì¿½®sU6`þ-ÉøÝyO ûö Þµc2iK´fjPêÇ\ÂÙ+yzô¾óÝmAÐ³ðÇ58Tc½îËwµtó\|ªÝ²¤>Üsµ¶ùÏHK:MÖ»4òª^Ûõ¿?¥oKZ]ãNÇJZWÄn.5{'k¿¥¨¿øÞ®æ³yv íìUýq©mÇâ°éoàF?e?G%( ÚMú$gEA)Ø^ø%<OkôðÚÈTYAyîz(=ç'x×l@½F?÷¸ér2 Ïdê8æ_n ]»=ÕèdqmÁ?ùÇIÀUa>É´¨>ç§Ð¯ªì"Î4ûxoÉ$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇA base_address: 0x0041b000 process_identifier: 2596 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2596 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2596 process_handle: 0x000002b8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2596 process_handle: 0x000002b8	1	1	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x0000033c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x0000034c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000364 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000374 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x0000037c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003ac regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003b4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003cc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003d4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000003fc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000408 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000410 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000418 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000428 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000430 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000448 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000450 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000460 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000468 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000478 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000480 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000488 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000490 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x00000498 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000004a0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000004a8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000004b0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000004b8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Oct. 29, 2021, 9:25 a.m.	key_handle: 0x000004c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (2 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2480 called NtSetContextThread to modify thread in remote process 2596
NtSetContextThread Oct. 29, 2021, 9:25 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2596	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (22 events)

file	C:\Users\test22\AppData\Roaming\Identities\.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\.wallet
file	C:\Users\test22\AppData\Roaming\Adobe\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Thunderbird\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\EditPlus\.wallet
file	C:\Users\test22\AppData\Roaming\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Sun\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Macromedia\.wallet
file	C:\Users\test22\AppData\Roaming\.wallet
file	C:\Users\test22\AppData\Roaming\HNC\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Microsoft\.wallet
file	C:\Users\test22\AppData\.wallet
file	C:\Users\test22\AppData\Roaming\HNC\.wallet
file	C:\Users\test22\AppData\Roaming\Microsoft\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\EditPlus\wallets\.wallet
file	C:\Users\test22\AppData\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Identities\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Thunderbird\.wallet
file	C:\Users\test22\AppData\Roaming\Macromedia\wallets\.wallet
file	C:\Users\test22\AppData\Roaming\Adobe\.wallet
file	C:\Users\test22\AppData\Roaming\Sun\.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2480 resumed a thread in remote process 2596
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2596	1	0	0

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.MSIL.Stealer.l!c
Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.89afa9
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Injector.VRI
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMetagen [Malware]
McAfee-GW-Edition	BehavesLike.Win32.Generic.gh
FireEye	Generic.mg.e574ad4af9b6fc03
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
McAfee	Artemis!E574AD4AF9B6
Ikarus	Trojan.MSIL.Injector
eGambit	Unsafe.AI_Score_99%
BitDefenderTheta	Gen:NN.ZemsilF.34236.Am0@ambsAGhi
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_90% (W)
MaxSecure	Trojan.Malware.300983.susgen

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2480	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2480	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2480	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2480	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2480	1	0
CreateProcessInternalW Oct. 29, 2021, 9:25 a.m.	thread_identifier: 2532 thread_handle: 0x000002b4 process_identifier: 2596 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\fed.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\fed.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\fed.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtGetContextThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000002b4	1	0
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2596 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2596 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: base_address: 0x00401000 process_identifier: 2596 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ7ÖØ7ÖsØ$ÓØ$nsØ7sØ7sØ$ÓØ$nsØ$ÓØ$nsØ7sØ$ÓsØXØ'ÔØÓsØXÖØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØ1âÜEª®;Ó7¡X°rwÛ4¶2P{næ¼¤åÅ©?neêÂáC0D,Þ¼ø©Q×fÍ«^ìí7î8lÍÊnn\~JÊ[¹ÝÑª;rÌµÑp× ¸ÕÁ¬±øÀ&îÚÁá {O£Mé±ÃµÚ3}_Ë>«®ËQ ÛîM`°éVÜ»hçÆsÂ5 £ñp$ÀÅIôËÆÉøsÊQËÅÜ£-«VÐ8ëËý7¡~(]- ð¤ô×§sö®">ÝÏ,w»ßúù;m Öm¶ä+¥S±¶~(Ãóù¿Y§É'c¨C©¸iö<8ÀFÍb¬N÷ëÝ³9áàñ.¢6âB©mmÜý!'j%¼¬!ÊgØ¾S×j¼=oÕmåÀXô×`-d-Ð·öÀUã+Öì/Þl'¸cc+³x¸»ª:âq¨Éâ)§¿< üTìaúÛR^Ò<±ªF ¹»åöÑ\|°</õ};¯Jõaàvü:6)ïu{ø1Öãá"õ¹tzA ódÑn¢Y+ç¼R¿ëÀ Äó9xW/hÒk'÷¢ä¨©+UÖ^Â,'äa ³ä6Í Ðz ¢ÏìeÃ÷½ÚBúh´ìuL/IØpbxMÁÔò-%èZ°ÆcëÏÅ²\|ß [.ÝX,^ÃÇ#ÉÆöB.;ÄÊ\ èÅ° ?óè·þ%ø&]ÎëþaÈ¾°»9SÜÎ¨ú#tîÃ¦Á/àÐaI¤k×ié %æë!U²Ô°nØW$¯é)îK7c½"¨g J¹ì¿ÕÆì¿½®sU6`þ-ÉøÝyO ûö Þµc2iK´fjPêÇ\ÂÙ+yzô¾óÝmAÐ³ðÇ58Tc½îËwµtó\|ªÝ²¤>Üsµ¶ùÏHK:MÖ»4òª^Ûõ¿?¥oKZ]ãNÇJZWÄn.5{'k¿¥¨¿øÞ®æ³yv íìUýq©mÇâ°éoàF?e?G%( ÚMú$gEA)Ø^ø%<OkôðÚÈTYAyîz(=ç'x×l@½F?÷¸ér2 Ïdê8æ_n ]»=ÕèdqmÁ?ùÇIÀUa>É´¨>ç§Ð¯ªì"Î4ûxoÉ$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇA base_address: 0x0041b000 process_identifier: 2596 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2596 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: base_address: 0x0041e000 process_identifier: 2596 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2596 process_handle: 0x000002b8	1	1
NtSetContextThread Oct. 29, 2021, 9:25 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2596	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2596	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2480	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2480	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2596	1	0
CreateProcessInternalW Oct. 29, 2021, 9:25 a.m.	thread_identifier: 2996 thread_handle: 0x00000548 process_identifier: 3020 current_directory: C:\Users\test22\AppData\Local\Temp\ filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "fed.exe" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000054c	1	1
CreateProcessInternalW Oct. 29, 2021, 9:25 a.m.	thread_identifier: 2756 thread_handle: 0x00000084 process_identifier: 2752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: C:\Windows\system32\timeout.exe 3 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

fed.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All