Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 2, 2021, 11 a.m.	Nov. 2, 2021, 11:02 a.m.

Size	18.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`814166158551168419ccd66678c3349c`
SHA256	`a2a128d55c7292b0866fee181c3ef566b1ce2334a623a530ec27ab6d6c7eb200`
CRC32	`FB9E4193`
ssdeep	`384:PTqSEepyqemK8NNMk++Tt+ynFHuuXQosfk:PTNEeklmK/k3Lp`
PDB Path	D:\.000.Private\000.NET\VvMain\v0\4.0\VvFile\VvFile\obj\Release\v.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vcredist_2010.exe "C:\Users\test22\AppData\Local\Temp\vcredist_2010.exe"
2380
- WinPcap_4_1_3.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\WinPcap_4_1_3.exe"
  2812
  - net.exe net start npf
    2320
    - net1.exe C:\Windows\system32\net1 start npf
      2180
- vcredist_2010_x64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2010_x64.exe" /q /norestart
  2856
  - Setup.exe c:\9c24ae5e40c96a9b8591096193\Setup.exe /q /norestart
    2956
- vcredist_2013_x64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe" /q /norestart
  2916
  - vcredist_2013_x64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe" /q /norestart -burn.unelevated BurnPipe.{8D1F1583-4DD8-4B1C-AFC5-DDB94D58D8B7} {152338CB-85B3-46B7-AAF3-56662B2C21CA} 2916
    3000
- sc.exe "C:\Windows\system32\sc.exe" create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
  3052
- sc.exe "C:\Windows\system32\sc.exe" description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."
  2496
- sc.exe "C:\Windows\system32\sc.exe" start svchost
  2632
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
121.254.136.16	Active	Moloch
164.124.101.2	Active	Moloch
185.254.240.239	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 185.254.240.239:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.254.240.239:80 -> 192.168.56.103:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 185.254.240.239:80 -> 192.168.56.103:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 185.254.240.239:80 -> 192.168.56.103:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.254.240.239:80 -> 192.168.56.103:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 185.254.240.239:80 -> 192.168.56.103:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.254.240.239:80 -> 192.168.56.103:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.254.240.239:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 2, 2021, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 11:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 11:01 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 2, 2021, 11 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 11 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 11:01 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 11:01 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 11:01 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 2, 2021, 10:54 a.m.	buffer: [SC] CreateService SUCCESS console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 2, 2021, 10:54 a.m.	buffer: [SC] ChangeServiceConfig2 SUCCESS console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 2, 2021, 10:54 a.m.	buffer: SERVICE_NAME: svchost TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2708 FLAGS : console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\.000.Private\000.NET\VvMain\v0\4.0\VvFile\VvFile\obj\Release\v.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\BundlePatchCode

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2021, 11 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/RuntimeBroker_64.zip
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/RuntimeBrokerBin_64.zip
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/WinPcap_4_1_3.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/vcredist_2010_x64.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/vcredist_2013_x64.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/PcapDotNet.Base_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/PcapDotNet.Core_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/PcapDotNet.Core.Extensions_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/PcapDotNet.Packets_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/PcapDotNet.Analysis_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/resource.json
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.254.240.239/Vv/1/process.json

Performs some HTTP requests (15 events)

request	GET http://185.254.240.239/Vv/1/RuntimeBroker_64.zip
request	GET http://185.254.240.239/Vv/1/RuntimeBrokerBin_64.zip
request	GET http://185.254.240.239/Vv/1/WinPcap_4_1_3.exe
request	GET http://185.254.240.239/Vv/1/vcredist_2010_x64.exe
request	GET http://185.254.240.239/Vv/1/vcredist_2013_x64.exe
request	GET http://185.254.240.239/Vv/1/PcapDotNet.Base_64.dll
request	GET http://185.254.240.239/Vv/1/PcapDotNet.Core_64.dll
request	GET http://185.254.240.239/Vv/1/PcapDotNet.Core.Extensions_64.dll
request	GET http://185.254.240.239/Vv/1/PcapDotNet.Packets_64.dll
request	GET http://185.254.240.239/Vv/1/PcapDotNet.Analysis_64.dll
request	GET http://185.254.240.239/Vv/resource.json
request	GET http://185.254.240.239/Vv/1/process.json
request	GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl

Allocates read-write-execute memory (usually to unpack itself) (50 out of 95 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef321b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 2490368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002200000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b84000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b84000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b84000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b84000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9349c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9340b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9343c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9340d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93551000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93553000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93554000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93558000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93559000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

vcredist_2010.exe tried to sleep 145 seconds, actually delayed analysis time by 145 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Nov. 2, 2021, 11:01 a.m.	number_of_free_clusters: 2495956 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: c:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Nov. 2, 2021, 11:01 a.m.	total_number_of_free_bytes: 10213638144 free_bytes_available: 10213638144 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 2, 2021, 11:01 a.m.	total_number_of_free_bytes: 10211770368 free_bytes_available: 10211770368 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 2, 2021, 10:54 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 10186752000 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1

Creates executable files on the filesystem (38 events)

file	c:\9c24ae5e40c96a9b8591096193\SetupEngine.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2010_x64.exe
file	c:\9c24ae5e40c96a9b8591096193\1036\SetupResources.dll
file	C:\Windows\SysWOW64\RuntimeBroker.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Packets.dll
file	C:\Program Files (x86)\WinPcap\rpcapd.exe
file	C:\Program Files (x86)\WinPcap\Uninstall.exe
file	C:\Users\test22\AppData\Local\Temp\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\.ba1\wixstdba.dll
file	C:\Users\test22\AppData\Local\Temp\nso33DD.tmp\ExecDos.dll
file	c:\9c24ae5e40c96a9b8591096193\1033\SetupResources.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Core.dll
file	c:\9c24ae5e40c96a9b8591096193\SetupUi.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Core.Extensions.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.1.3.lnk
file	c:\9c24ae5e40c96a9b8591096193\2052\SetupResources.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Analysis.dll
file	c:\9c24ae5e40c96a9b8591096193\1041\SetupResources.dll
file	C:\Windows\System32\wpcap.dll
file	c:\9c24ae5e40c96a9b8591096193\sqmapi.dll
file	c:\9c24ae5e40c96a9b8591096193\vc_red.msi
file	c:\9c24ae5e40c96a9b8591096193\1028\SetupResources.dll
file	c:\9c24ae5e40c96a9b8591096193\1049\SetupResources.dll
file	c:\9c24ae5e40c96a9b8591096193\1031\SetupResources.dll
file	c:\9c24ae5e40c96a9b8591096193\3082\SetupResources.dll
file	C:\Program Files (x86)\WinPcap\WinPcapInstall.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\RuntimeBroker.exe
file	c:\9c24ae5e40c96a9b8591096193\1040\SetupResources.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Base.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\WinPcap_4_1_3.exe
file	c:\9c24ae5e40c96a9b8591096193\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\nso33DD.tmp\UserInfo.dll
file	C:\Users\test22\AppData\Local\Temp\nso33DD.tmp\System.dll
file	C:\Windows\System32\Packet.dll
file	C:\Users\test22\AppData\Local\Temp\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\.be\vcredist_x64.exe
file	C:\Users\test22\AppData\Local\Temp\nso33DD.tmp\InstallOptions.dll
file	c:\9c24ae5e40c96a9b8591096193\1042\SetupResources.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe
file	C:\Windows\System32\pthreadVC.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Nov. 2, 2021, 11:01 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000154 filepath: c:\9c24ae5e40c96a9b8591096193\$shtdwn$.req desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\c:\9c24ae5e40c96a9b8591096193\$shtdwn$.req create_options: 4192 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.1.3.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\system32\sc.exe" start svchost
cmdline	C:\Windows\System32\sc.exe create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
cmdline	C:\Windows\System32\sc.exe start svchost
cmdline	"C:\Windows\system32\sc.exe" create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
cmdline	"C:\Windows\system32\sc.exe" description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."
cmdline	C:\Windows\System32\sc.exe description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\WinPcap_4_1_3.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2010_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Local\Temp\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\.ba1\wixstdba.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2010_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Analysis.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\WinPcap_4_1_3.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Base.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Packets.dll
file	C:\Users\test22\AppData\Local\Temp\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\.be\vcredist_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Core.Extensions.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (40 events)

Time & API	Arguments	Status	Return
Process32FirstW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: System process_identifier: 4	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: csrss.exe process_identifier: 312	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: wininit.exe process_identifier: 340	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: winlogon.exe process_identifier: 404	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: services.exe process_identifier: 440	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 576	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 720	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 844	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: audiodg.exe process_identifier: 924	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 348	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: spoolsv.exe process_identifier: 1064	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: taskhost.exe process_identifier: 1132	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 1332	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 1728	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: pw.exe process_identifier: 1860	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: SearchIndexer.exe process_identifier: 1904	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: SearchProtocolHost.exe process_identifier: 744	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: SearchFilterHost.exe process_identifier: 1984	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: pw.exe process_identifier: 2084	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: taskhost.exe process_identifier: 2208	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: vcredist_2010.exe process_identifier: 2380	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: WmiPrvSE.exe process_identifier: 2580	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: cmd.exe process_identifier: 2764	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: conhost.exe process_identifier: 2772	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: pw.exe process_identifier: 2796	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: WinPcap_4_1_3.exe process_identifier: 2812	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: vcredist_2010_x64.exe process_identifier: 2856	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: vcredist_2013_x64.exe process_identifier: 2916	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000124 process_name: Setup.exe process_identifier: 2956	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 2, 2021, 11 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (33 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Expresses interest in specific running processes (2 events)

process	setup.exe
process	vcredist_2010_x64.exe

Queries for potentially installed applications (50 out of 107 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000001c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: 7-Zip base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: AddressBook base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Adobe AIR base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Connection Manager base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: DirectDrawEx base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: EditPlus base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Fontcore base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Google Chrome base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: IE40 base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: IE4Data base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: IE5BAKEX base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: IEData base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: MobileOptionPack base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: SchedulingAgent base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: WIC base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000001c4 key_handle: 0x000001cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"C:\Windows\system32\sc.exe" start svchost
cmdline	net start npf
cmdline	C:\Windows\System32\sc.exe create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
cmdline	C:\Windows\System32\sc.exe start svchost
cmdline	"C:\Windows\system32\sc.exe" create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
cmdline	"C:\Windows\system32\sc.exe" description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."
cmdline	C:\Windows\System32\sc.exe description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: d345c44f02b1db02c806e700d025f2b3c3ab36cd
buffer	Buffer with sha1: cb9e3c0b48f5022594ee5da930a34317498e25ba
buffer	Buffer with sha1: a1ff8249425c05fae534aa6a2ea989c40e3c52fa

Communicates with host for which no DNS query was performed (2 events)

host	121.254.136.16
host	185.254.240.239

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService Nov. 2, 2021, 11:01 a.m.	service_handle: 0x00252178 service_name: MSIServer control_code: 1	1	1	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ea14036a-96ff-4c95-a988-78d36f0ccffa}				reg_value	"C:\ProgramData\Package Cache\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\vcredist_x64.exe" /burn.runonce
service_name	svchost				service_path	C:\Windows\SysWOW64\RuntimeBroker.exe

Created a service where a service was also not started (3 events)

Time & API	Arguments	Status	Return
CreateServiceA Nov. 2, 2021, 11:01 a.m.	service_start_name: start_type: 3 password: display_name: NetGroup Packet Filter Driver filepath: C:\Windows\System32\system32\drivers\npf.sys service_name: NPF filepath_r: system32\drivers\npf.sys desired_access: 983551 service_handle: 0x008c5908 error_control: 1 service_type: 1 service_manager_handle: 0x008c58b8	1	9197832
CreateServiceA Nov. 2, 2021, 11:01 a.m.	service_start_name: start_type: 3 password: display_name: Remote Packet Capture Protocol v.0 (experimental) filepath: C:\Windows\System32\"%ProgramFiles(x86)%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles(x86)%\WinPcap\rpcapd.ini" service_name: rpcapd filepath_r: "%ProgramFiles(x86)%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles(x86)%\WinPcap\rpcapd.ini" desired_access: 983551 service_handle: 0x008c5f20 error_control: 1 service_type: 16 service_manager_handle: 0x008c5f48	1	9199392
CreateServiceW Nov. 2, 2021, 10:54 a.m.	service_start_name: start_type: 2 password: display_name: svchost filepath: C:\Windows\SysWOW64\RuntimeBroker.exe service_name: svchost filepath_r: C:\Windows\SysWOW64\RuntimeBroker.exe desired_access: 983551 service_handle: 0x0000000000276750 error_control: 1 service_type: 16 service_manager_handle: 0x0000000000276720	1	2582352

Installs WinPCAP (3 events)

file	C:\Windows\System32\Packet.dll
file	C:\Windows\System32\drivers\npf.sys
file	C:\Windows\System32\wpcap.dll

Stops Windows services (1 event)

service

NPF (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NPF\Start)

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.MSIL.Agent.b!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILHeracles.25837
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	GenericRXIT-RW!814166158551
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.MSILHeracles.D64ED
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Dropper.MSIL.Agent.gen
BitDefender	Gen:Variant.MSILHeracles.25837
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Gen:Variant.MSILHeracles.25837
Emsisoft	Gen:Variant.MSILHeracles.25837 (B)
McAfee-GW-Edition	GenericRXIT-RW!814166158551
FireEye	Generic.mg.8141661585511684
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/ATRAPS.Gen
MAX	malware (ai score=86)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-Dropper.MSIL.Agent.gen
GData	Gen:Variant.MSILHeracles.25837
Cynet	Malicious (score: 99)
ALYac	Gen:Variant.MSILHeracles.25837
Malwarebytes	Trojan.Dropper.SVC
Tencent	Msil.Trojan-dropper.Agent.Dxmf
Ikarus	Win32.Outbreak
BitDefenderTheta	Gen:NN.ZemsilF.34236.bm0@ayOes2d
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.dbe2df
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

vcredist_2010.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All