Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 1, 2021, 6:25 p.m.	Nov. 1, 2021, 6:27 p.m.

Size	552.9KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e0f1da55d595ccd8fa30eb7488b71ca2`
SHA256	`8b0bcfde5b6b65ad02f37b0b820d0af370155464ad42145bad1f2d0fec1f48c3`
CRC32	`5AF2FD7A`
ssdeep	`6144:BxA+EeaI0R1FmYtLf3I/sBqt8EQn/Blzaao9jUHFCsLAXJ/phvUReO:LWFR1FmY9FYLQnVAOpEXtphvUf`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

180.exe "C:\Users\test22\AppData\Local\Temp\180.exe"
2012
- RegAsm.exe #cmd
  1620
  - filename.exe "C:\Users\test22\AppData\Local\Temp\filename.exe"
    288

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.130.233

IP Address	Status	Action
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch
91.243.32.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49190 -> 162.159.135.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49190 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 6:25 p.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 6:25 p.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 6:25 p.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 6:25 p.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 6:26 p.m.			0	0
IsDebuggerPresent Nov. 1, 2021, 6:26 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001dbc10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001dbc80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001dbc80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a89f840 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a89f840 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001a89f840 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008173e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008173e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008175a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00817828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00817868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00817868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04f05468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04f05468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 1, 2021, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04f05168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2021, 6:25 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 1, 2021, 6:25 p.m.	stacktrace: 0xbd5f0a 0xbd5e85 0xbd52bc 0xbd5010 0xbd005f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a92652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72aa264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72aa2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72b574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72b57610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72be1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72be1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72be1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72be416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7313f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73977f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73974de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbd5f99 registers.esp: 1698804 registers.edi: 44248372 registers.eax: 0 registers.ebp: 1698828 registers.edx: 8333736 registers.ebx: 43136952 registers.esi: 44248552 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 1, 2021, 6:25 p.m.

stacktrace:

0xbd5f0a
0xbd5e85
0xbd52bc
0xbd5010
0xbd005f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72a92652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72aa264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72aa2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72b574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72b57610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72be1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72be1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72be1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72be416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7313f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73977f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73974de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77539ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77539ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xbd5f99
registers.esp: 1698804
registers.edi: 44248372
registers.eax: 0
registers.ebp: 1698828
registers.edx: 8333736
registers.ebx: 43136952
registers.esi: 44248552
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://cdn.discordapp.com/attachments/847196641017593886/904481515533123634/Unbeautify.exe

Performs some HTTP requests (1 event)

request

GET https://cdn.discordapp.com/attachments/847196641017593886/904481515533123634/Unbeautify.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 329 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0491000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0b2b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0494000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90d0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90dbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90de6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90d1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90d1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90d1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90d1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e69000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 2012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe90e6e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\filename.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\filename.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 1, 2021, 6:25 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 1, 2021, 6:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 53 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000031c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: 7-Zip base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: AddressBook base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: Adobe AIR base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: Connection Manager base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: DirectDrawEx base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: EditPlus base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: ePageSafer base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: Fontcore base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: Google Chrome base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: IE40 base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: IE4Data base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: IE5BAKEX base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: IEData base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: MobileOptionPack base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: Office14.PROPLUS base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: SchedulingAgent base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: TouchEn nxKey base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: UnINISafeWeb base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: UnINISafeWeb6 base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: WIC base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1 base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {1F1C2DFC-2D24-3E06-BCB8-725134ADF989} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1 base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {8941A397-4065-4F41-92CE-0EB610846EED}_is1 base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Nov. 1, 2021, 6:25 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000031c key_handle: 0x00000318 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

91.243.32.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 1620 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000290	1	0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;W§ìà0± À@ ²@È°SÀÞà H.text$ `.rsrcÞÀ@@.relocà@B base_address: 0x0000000000400000 process_identifier: 1620 process_handle: 0x0000000000000290	1	1
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: P8h ÀTôÂêT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameThrappling.exe(LegalCopyright FOriginalFilenameThrappling.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000000000041c000 process_identifier: 1620 process_handle: 0x0000000000000290	1	1
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: ° 1 base_address: 0x000000000041e000 process_identifier: 1620 process_handle: 0x0000000000000290	1	1
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 1620 process_handle: 0x0000000000000290	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;W§ìà0± À@ ²@È°SÀÞà H.text$ `.rsrcÞÀ@@.relocà@B base_address: 0x0000000000400000 process_identifier: 1620 process_handle: 0x0000000000000290	1	1	0

Collects information about installed applications (40 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 6.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Delfino G3 (x86) version 3.6.6.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: G2BRUN regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WIZVERA Process Manager 1,0,5,4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Nov. 1, 2021, 6:25 p.m.	key_handle: 0x00000318 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2012 resumed a thread in remote process 1620
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x000000000000028c suspend_count: 1 process_identifier: 1620	1	0	0

Executed a process and injected code into it, probably while unpacking (44 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2012	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2012	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2012	1	0
CreateProcessInternalW Nov. 1, 2021, 6:25 p.m.	thread_identifier: 1616 thread_handle: 0x000000000000028c process_identifier: 1620 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: #cmd filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000290	1	1
NtAllocateVirtualMemory Nov. 1, 2021, 6:25 p.m.	process_identifier: 1620 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000290	1	0
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;W§ìà0± À@ ²@È°SÀÞà H.text$ `.rsrcÞÀ@@.relocà@B base_address: 0x0000000000400000 process_identifier: 1620 process_handle: 0x0000000000000290	1	1
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: base_address: 0x0000000000402000 process_identifier: 1620 process_handle: 0x0000000000000290	1	1
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: P8h ÀTôÂêT4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°´StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0>InternalNameThrappling.exe(LegalCopyright FOriginalFilenameThrappling.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000000000041c000 process_identifier: 1620 process_handle: 0x0000000000000290	1	1
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: ° 1 base_address: 0x000000000041e000 process_identifier: 1620 process_handle: 0x0000000000000290	1	1
WriteProcessMemory Nov. 1, 2021, 6:25 p.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 1620 process_handle: 0x0000000000000290	1	1
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x000000000000028c suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x00000450 suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x0000048c suspend_count: 1 process_identifier: 1620	1	0
NtGetContextThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x0000017c	1	0
NtGetContextThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x0000017c	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x000004e8 suspend_count: 1 process_identifier: 1620	1	0
NtResumeThread Nov. 1, 2021, 6:25 p.m.	thread_handle: 0x000006f0 suspend_count: 1 process_identifier: 1620	1	0
CreateProcessInternalW Nov. 1, 2021, 6:25 p.m.	thread_identifier: 1572 thread_handle: 0x00000848 process_identifier: 288 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\filename.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\filename.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\filename.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000850	1	1
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x00000000000001f0 suspend_count: 1 process_identifier: 288	1	0
NtGetContextThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 288	1	0
NtGetContextThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000134	1	0
NtGetContextThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000134	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 288	1	0
NtGetContextThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 288	1	0
NtGetContextThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000134	1	0
NtGetContextThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000134	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000204 suspend_count: 1 process_identifier: 288	1	0
NtResumeThread Nov. 1, 2021, 6:26 p.m.	thread_handle: 0x0000000000000224 suspend_count: 1 process_identifier: 288	1	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Lionic	Trojan.MSIL.Stealer.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.869029
FireEye	Generic.mg.e0f1da55d595ccd8
ALYac	Gen:Variant.Bulz.869029
Cylance	Unsafe
Sangfor	Virus.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (D)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.FMWZ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Bulz.869029
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Bulz.869029
Emsisoft	Gen:Variant.Bulz.869029 (B)
McAfee-GW-Edition	Artemis
Sophos	Mal/Generic-S
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
Arcabit	Trojan.Bulz.DD42A5
GData	Gen:Variant.Bulz.869029
Cynet	Malicious (score: 100)
McAfee	Artemis!E0F1DA55D595
MAX	malware (ai score=86)
Malwarebytes	Trojan.Agent.Gen
Yandex	Trojan.Agent!YCLuocL77Wo
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
AVG	FileRepMalware
Cybereason	malicious.4dcc20
MaxSecure	Trojan.Malware.300983.susgen

180.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All