Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 24, 2023, 9:10 a.m.	May 24, 2023, 9:12 a.m.

Size	6.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`02eceb12980e60c1496eb6b9a02d3483`
SHA256	`e36099a8ffebc501c3d1b8325a103b62769c5ac2630989ea3ea66715022a062f`
CRC32	`B8948466`
ssdeep	`98304:z4S0clXTS9EIv1281Ey0l6iEz0JzA3+rBAlrHC3dNtCLChF:l/lX3I9R1EFlnxJzVA1ALI+hF`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer VMProtect_Zero - VMProtect packed file Raccoon_Stealer_1_Zero - Raccoon Stealer

a03.exe "C:\Users\test22\AppData\Local\Temp\a03.exe"
300
- 2.1.1.exe C:\Users\test22\AppData\Local\Temp\2.1.1.exe
  2128
- wfplwfs.exe C:\Users\test22\AppData\Local\Temp\wfplwfs.exe
  2816
  - rundll32.exe C:\Windows\system32\rundll32.exe
    3036
- cmd.exe cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\a03.exe"
  2852
  - PING.EXE ping 127.0.0.1 -n 3
    2928
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93
14mmf.za.com	A 104.21.54.36 A 172.67.223.30	172.67.223.30

IP Address	Status	Action
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
172.67.223.30	Active	Moloch
45.144.28.189	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 148.251.234.93:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49161 -> 172.67.223.30:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 45.144.28.189:80	2036934	ET MALWARE Win32/RecordBreaker CnC Checkin M1	A Network Trojan was detected
TCP 45.144.28.189:80 -> 192.168.56.103:49166	2036955	ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 45.144.28.189:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 45.144.28.189:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 45.144.28.189:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.144.28.189:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49167 -> 45.144.28.189:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 45.144.28.189:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 45.144.28.189:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 45.144.28.189:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 45.144.28.189:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 45.144.28.189:80	2036884	ET HUNTING Possible Generic Stealer Sending System Information	Misc activity
TCP 192.168.56.103:49167 -> 45.144.28.189:80	2036885	ET HUNTING Possible Generic Stealer Sending a Screenshot	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49161 172.67.223.30:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=14mmf.za.com	aa:41:3d:d8:cf:f6:f8:cf:3e:b5:c5:dd:03:65:99:87:f3:4f:f5:36

Command line console output was observed (16 events)

Time & API	Arguments	Status	Return
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2023, 9:11 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 24, 2023, 9:10 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.144.28.189/
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.144.28.189/302f831c3b8545fb0a5a60bd7a5eeedb

Performs some HTTP requests (10 events)

request	POST http://45.144.28.189/
request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
request	GET http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
request	POST http://45.144.28.189/302f831c3b8545fb0a5a60bd7a5eeedb
request	GET https://14mmf.za.com/analytics.php?pub=a03&guid=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&sign=178004f0465ebfb5

Sends data using the HTTP POST Method (2 events)

request	POST http://45.144.28.189/
request	POST http://45.144.28.189/302f831c3b8545fb0a5a60bd7a5eeedb

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71c81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71941000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\AppData\LocalLow\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\wfplwfs.exe
file	C:\Users\test22\AppData\Local\Temp\2.1.1.exe
file	C:\Users\test22\AppData\LocalLow\nss3.dll

Creates hidden or system file (15 events)

Time & API	Arguments	Status	Return
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000000c4 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539
NtCreateFile May 24, 2023, 9:10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D8C5E4A16C2BEA0E36BAA2D018275111FF62FD09 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 0 ()		3221225539

Drops an executable to the user AppData folder (10 events)

file	C:\Users\test22\AppData\LocalLow\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\nss3.dll
file	C:\Users\test22\AppData\LocalLow\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\a03.exe
file	C:\Users\test22\AppData\Local\Temp\wfplwfs.exe
file	C:\Users\test22\AppData\Local\Temp\2.1.1.exe
file	C:\Users\test22\AppData\LocalLow\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 24, 2023, 9:11 a.m.	thread_identifier: 2820 thread_handle: 0x00000124 process_identifier: 2816 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\wfplwfs.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000120	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00e00000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process 2.1.1.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile May 24, 2023, 9:10 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELöñ9bà"!à&Ð`ýÑ@Aø!\T¿@@x ¸Ph hýð ðÄ\!@.textiÞà `.rdataäéðêä@@.dataNà*Î@À.00cfg0ø@@.rsrcx@ú@@.reloch Pþ@BUåSWV]u~ÿt@ pàÿ0WÿÑÄ~1ÀÛÀÁàHFDÿt xàÿ0WÿÑÄ1À^_[]Ã1ÀÛÀÁàHFDëéÌÌÌÌÌÌÌÌÌÌÌÌÌUåWVìuþ3'u7¿èÿÿ=ta¡l$ÿ`ÇìÀt:x(p,Ç@0Ä^_]Ã¿²èÿÿþ~2çØÿÿø8wmÿ$èx¿¦èÿÿë¨(ñ$èÀë´èI"ëþæ þoóþOIþ&ÅFþøþ !¿ÐèÿÿéIÿÿÿþ ¿èÿÿé3ÿÿÿ¿èÿÿé)ÿÿÿ¿¯èÿÿéÿÿÿ¿¶èÿÿéÿÿÿ¿´èÿÿéÿÿÿ¿³èÿÿéÿÿÿ¿¢èÿÿé÷þÿÿ¿ èÿÿéíþÿÿ¿×èÿÿéãþÿÿþÈþí¿þå/þç7þãu¿Ñèÿÿéþÿÿþa _¿èÿÿéþÿÿþþzþpÏþx.¿èÿÿéVþÿÿþØþÏßþÉg¿£èÿÿé(þÿÿþkÖþPa¿Éèÿÿéþÿÿþ½ÊþîJ¿èÿÿéêýÿÿþÍ¾þAÿÿÿþ·t´éþo¯þÙ¿èÿÿé£ýÿÿþ'¿¼èÿÿéýÿÿþætþéJ¿èÿÿérýÿÿþ{î¿èÿÿé_ýÿÿþÐæ¿ÙèÿÿéIýÿÿþlå¿ºèÿÿé6ýÿÿþ¾Ú¿èÿÿé ýÿÿþÎÖ¿Áèÿÿé ýÿÿþpmþÿÿþqaþÿÿþø´¿ªèÿÿéÜüÿÿÿ$x¿ÂèÿÿéËüÿÿþÏ¿¤èÿÿéµüÿÿþWCÿÿÿëxþg þÿÿëjþßub¿Óèÿÿéüÿÿþ request_handle: 0x00cc000c	1	1
InternetReadFile May 24, 2023, 9:10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PEL(Á[à"!(`Ù@ ð@AgÏèr ð?°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@Bð¢ ¢¢à¢£0££p£0¤Ð£°£¤À¤p¤P¤°¤ð¤à¤0¥`¥ ¥¥P¥¦À¦ ¦`¦ §à§À§§°¨ð¨Ð¨ ¨À©ªà©°©àª ««Àª¬@¬ ¬à«P0®¥ ¥¢ ¢à¢ð¢£0£p££°£Ð£¤0¤P¤p¤°¤À¤à¤ð¤¥ ¥0¥P¥`¥¥ ¥`¦¦ ¦À¦§ §À§à§ ¨°¨Ð¨ð¨°©À©à©ªÀªàª« «à«¬ ¬@¬0P®0®°®À¯Ð°à°ð° ±À±²0²@²P²p²²Ð²P³³³ð³ ´0µµ°µÐµ¶P¶0··p¾¿ ÀàÅðÆ0Ð ÑÀÑàÑðÓÔÝ@ÞÐßàßààðæ0èPèÀêàêPïð ðò°òÐôðôpööû0ûÐûüàüPýþàþ`ÿÀÿÐÿðÿ`0` àÐP`°0P`Ð °Ðð 0`pÀ ° request_handle: 0x00cc0018	1	1
InternetReadFile May 24, 2023, 9:10 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL(Á[à"!ÞÙð 0t(@Aàã ¸ú? 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B0'à'`-à2@4p5°6(9ø9;0;À;<`= = >0>Q>>p?Ð?ð?À@pADàEJ@ZðZ [0[`[°[\\ \0\@\pe°eàefPj`jpjjjàj l0làlðmn0nPrÐrÐs`tÐtðtuuPuu°uvðvw w@w`ww x`\|}0}@}`}} }ÀÐàð0®À°ÀÐÀðÀ@Á Ò0Ò@ÒPÒàÓÔ ×Ð×°ØðØÙ@Û°Ü@Ý0ßß@ZX!fPjUnknown exception !fPjbad exceptionì!fPj8"fPj"fPjAccess violation - no RTTI data!Attempted a typeid of nullptr pointer!Bad read pointer - no RTTI data!Bad dynamic_cast!csmà 8t°api-ms-win-core-fibers-l1-1-1api-ms-win-core-synch-l1-2-0kernel32api-ms-ext-ms-FlsAlloc request_handle: 0x00cc0024	1	1
InternetReadFile May 24, 2023, 9:10 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÔñ9bà"!V°/Ð íî @A¼cQ ,p °r ¸ 4C°Wh0 Ø·.textÑ `.rdataÿ0@@.data¸0 @À.00cfgP @@.tls` " @À.rsrc°p $ @@.reloc4C D. @BUåSWVìÎ]¡0 1èEðSèÄÇF9øs0ìEìD$\$<$ñè>ÆMð1éèÂðÄ^_[]ÂÙóør~WQSèJÄÆ;ëËÌÌÌÌÌÌÌUåSWVìEÀ¦MðYÁÉ¾ÿÿÿ¸#]ìxxÚÑê×÷ÿÿÿ9ûwhÚ9ÑÖCñF=sHÀPèÄÇEð]XpÆSÿuWè¸ÄÆMìùs4>ðÄ^_[]ÂøÜwF$ë1ÀHPèDÄx#çàGüëªèAùrHüÀü)Èø sÈPè¡QÄuðë¤1ÿ1öNésÿÿÿÿÔ ÌÌÌÌÌÌÌÌÌUåSWVÇÒÈ É¡Izþæþ¤ÉtNYöÃtFãþyç ÷yáþræ<zÉtv9çþ ÷zræþt^öÃurëÏzÉJ0^_[]Ããþ^r÷Ïzæþt&>Ïz1ë×ÇhH òÌ¹¶èkaÏzÇhH òÌ¹ èPaÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUåSWVÇÒ·ÈJÉªIzþæþNÉtYöÃuÏzNÉJV0^_[]Ããþ^yç ÷yáþræ<zÉtdyçþ ÷zQræþt^öÃurë²ãþ^r÷Ïzæþt)~ÏzVqëÇhH òÌ¹¶èa`ÏzÇhH òÌ¹ èF`ÌÌÌÌÌUåSWVPÇÒröyÈNöÁáþYyÿt öG÷zç Ï~IJÉLqæþrÖæþyç ÷yz request_handle: 0x00cc0030	1	1
InternetReadFile May 24, 2023, 9:10 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL&ò9bà"!6°à é @A4, S, È xT ¸° 8$& 0 . D.textÕ `.rdataÄ0@@.data<F@ & @À.00cfg ( @@.rsrcx * @@.reloc8$° &. @BUåhOè2ÄÀt8Ààð]ÃhàÿÿèÄ1À]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUåWVEÀtu}UMÿt"òò0ë(hàÿÿè¿Ä¸ÿÿÿÿë&Ç4¦¦¦¦Ç0¦¦¦¦jVjjRQPèO¤Ä^_]ÃÌÌÌÌÌÌÌÌUåSWVhOèÄÀt0Ç8Ç1öçðtkEU]MÛtòò0ë%hàÿÿè2Ä1öë<Ç4¦¦¦¦Ç0¦¦¦¦jRjjPQWèÅ£ÄÀtÿ·8èäÄëþð^_[]ÃÌÌÌÌÌUåWVuöt }jVèÉ¨Äÿtÿ¶8è¨Ä^_]ÃUåSWVäøìPL$,M¡´@ 1èD$HÇD$4ùrÈàuy;}vhàÿÿé²hàÿÿé¨\|$,}uöÓøàøPèÄÀx\|$ òòD$8ÂÂD$$}WÁïVRèL$0Ä÷ß\|$01ÀÇD$ÇD$ÇD$ÇD$ÇD$ÇD$ÇD$1Ûëf.D$(ÀÃÿøñD$(Ã¿ëaD$fD$0D$8D$0D$9D$0D$:D$0D$;D$0D$<D$0D$=D$0D$>0\$?D$0øÀÇÃø,òùòD$@jD$<PjT$@RPÿt$@Îè¨ÄÂÀJÿÿÿòD$@òþÛñeÿÿÿD$þÀLÿÿÿD$þÀu]D$þÀufD$þÀuwD$þÀD$D$D$D$ÇD$ÇD$ÇD$ÇD$ÇD$éôþÿÿD$ÇD$éãþÿÿD$ÇD$ÇD$éÊþÿÿD$ÇD$ÇD$ÇD$ request_handle: 0x00cc003c	1	1
InternetReadFile May 24, 2023, 9:10 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL'ò9bà"!ÌòÎ¡Þ@AtvSÇwð°Â¸À5hqà D{.textVÊÌ `.rdata¬à®Ð@@.data~@À.00cfg @@.rsrc°@@.reloc5À6@BUå¡Àtÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÌUå¡ÀtHÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÒÌÌÌÌÌÌUå¡Àt$ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÌUå¡ÀtHÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtHÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtHÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡Àt¨ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÌUå¡ÀtH(ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtH,ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtH4ÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÒÌÌÌÌÌÌUå¡ÀtÀÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÏÌÌÌUå¡ÀtH8ÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÒÌÌÌÌÌÌUå¡ÀtH<ÿ ]ÿáh 6hÿè{ÄÀt]Ã¡ëÔÌÌÌÌÌÌÌÌUå¡ÀtH@ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtHDÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtHHÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÒÌÌÌÌÌÌ request_handle: 0x00cc0048	1	1
InternetReadFile May 24, 2023, 9:10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL"©,bv²à!ú àaÈ °nàÐ ¨ à; âÐ.text¬ `P`.data\|' (@`À.rdataDPF:@`@.bss( `À.edatan°,@0@.idataÐà¬@0À.CRT,ðº@0À.tls ¼@0À.rsrc¨ ¾@0À.relocà; <Ä@0B/48` @@B/19RÈp Ê @B/31]'@(Ð @B/45-p.ø @B/57\ &@0B/70#°2@B/81s:À<6@B/92Pr@BSìÇ$èó Ã$è¶Ï Û£¨ìa£¨ìat ÇÄ1À[ÃÄ¸[ÃWVSìT$$Òur¡ ìaÀè1Û5ãìa£ ìaëvÇ$èÿÖìºØð±¨ìaÀuá¡¨ìaøãÇ$è7ó ¸Ä[^_Âö¼'ú¸uäd¡1öX=ãìaëv9ÃÇ$èÿ×ìðð±¨ìaÀuÞ1Û¡¨ìaø!¡¨ìaÀñ¡¨ìaøÛË¡ìaÀtT$(ÇD$T$T$ $ÿÐì ìaÄ¸[^_Â1Àé7ÿÿÿö¼'¡¨ìa$è3Î ÀÆtA¡¨ìa$è Î Ãë9ÞwÀtóëÿÐ9Þvñ4$èèñ Ç¨ìaÇ¨ìa1ÀÇ¨ìa¨ìa¸Ä[^_Â»éÿÿÿf request_handle: 0x00cc0054	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0056f000', u'virtual_address': u'0x0000f000', u'entropy': 7.954696693201262, u'name': u'.rdata', u'virtual_size': u'0x0056ec80'}

entropy

7.9546966932

description

A section with a high entropy has been found

entropy

0.910936476752

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vba
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 77 events)

Time & API	Arguments	Status
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000001c options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: 7-Zip base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: AddressBook base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Connection Manager base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: DirectDrawEx base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Fontcore base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: HashTab base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: IE40 base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: IE4Data base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: IE5BAKEX base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: IEData base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: MobileOptionPack base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Mozilla Firefox 105.0.1 (x64 en-US) base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: MozillaMaintenanceService base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: SchedulingAgent base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: WIC base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {90150000-002A-0000-1000-0000000FF1CE} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {90150000-002A-0409-1000-0000000FF1CE} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {90150000-0116-0409-1000-0000000FF1CE} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042 base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000001c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: 7-Zip base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: AddressBook base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Adobe AIR base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Connection Manager base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: DirectDrawEx base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: EditPlus base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Fontcore base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Google Chrome base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: IE40 base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: IE4Data base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: IE5BAKEX base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: IEData base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: MobileOptionPack base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: SchedulingAgent base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: WIC base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW May 24, 2023, 9:10 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x0000001c key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping 127.0.0.1 -n 3
cmdline	cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\a03.exe"

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 2df9037fb29129ad27a4f2cf88cee132e272e28e

Communicates with host for which no DNS query was performed (1 event)

host

45.144.28.189

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000018c	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (6 events)

Time & API	Arguments	Status	Return
FindWindowA May 24, 2023, 9:11 a.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check		0
FindWindowA May 24, 2023, 9:11 a.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	65890
FindWindowA May 24, 2023, 9:11 a.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	65890
FindWindowA May 24, 2023, 9:11 a.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	65890
FindWindowA May 24, 2023, 9:11 a.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	65890
FindWindowA May 24, 2023, 9:12 a.m.	class_name: ThunderRT6FormDC window_name: Operators Network Error Check	1	65890

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\1d896d6f4de8430f.job

Collects information about installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Firefox (x64 en-US) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office 64-bit Components 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.18 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW May 24, 2023, 9:10 a.m.	key_handle: 0x000002e4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2816 called NtSetContextThread to modify thread in remote process 3036
NtSetContextThread May 24, 2023, 9:11 a.m.	registers.eip: 2005598660 registers.esp: 1178512 registers.edi: 0 registers.eax: 4199668 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000188 process_identifier: 3036	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2816 resumed a thread in remote process 3036
NtResumeThread May 24, 2023, 9:11 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 3036	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 24, 2023, 9:10 a.m.	thread_identifier: 2132 thread_handle: 0x00000394 process_identifier: 2128 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\2.1.1.exe filepath_r: stack_pivoted: 0 creation_flags: 16 (CREATE_NEW_CONSOLE) inherit_handles: 0 process_handle: 0x000003a0	1	1
CreateProcessInternalW May 24, 2023, 9:11 a.m.	thread_identifier: 2820 thread_handle: 0x00000124 process_identifier: 2816 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\wfplwfs.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW May 24, 2023, 9:11 a.m.	thread_identifier: 2856 thread_handle: 0x00000120 process_identifier: 2852 current_directory: filepath: track: 1 command_line: cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\test22\AppData\Local\Temp\a03.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000124	1	1
NtResumeThread May 24, 2023, 9:11 a.m.	thread_handle: 0x000000f4 suspend_count: 1 process_identifier: 2816	1	0
CreateProcessInternalW May 24, 2023, 9:11 a.m.	thread_identifier: 3040 thread_handle: 0x00000188 process_identifier: 3036 current_directory: filepath: track: 1 command_line: C:\Windows\system32\rundll32.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000018c	1	1
NtGetContextThread May 24, 2023, 9:11 a.m.	thread_handle: 0x00000188	1	0
NtAllocateVirtualMemory May 24, 2023, 9:11 a.m.	process_identifier: 3036 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000018c	1	0
NtSetContextThread May 24, 2023, 9:11 a.m.	registers.eip: 2005598660 registers.esp: 1178512 registers.edi: 0 registers.eax: 4199668 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000188 process_identifier: 3036	1	0
NtResumeThread May 24, 2023, 9:11 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW May 24, 2023, 9:11 a.m.	thread_identifier: 2932 thread_handle: 0x00000084 process_identifier: 2928 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 127.0.0.1 -n 3 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread May 24, 2023, 9:11 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2928	1	0
NtResumeThread May 24, 2023, 9:11 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread May 24, 2023, 9:11 a.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 3036	1	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Raccoon.4!c
MicroWorld-eScan	Gen:Variant.Fragtor.289150
ALYac	Gen:Variant.Fragtor.289150
Malwarebytes	Malware.AI.3065879201
Sangfor	Trojan.Win32.Fragtor.V5se
K7AntiVirus	Trojan ( 0056e5201 )
Alibaba	TrojanPSW:Win32/Raccoon.6c2640dd
K7GW	Trojan ( 0056e5201 )
Cybereason	malicious.0da875
Arcabit	Trojan.Fragtor.D4697E
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	multiple detections
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Raccoon.gen
BitDefender	Gen:Variant.Fragtor.289150
Avast	Win32:Evo-gen [Trj]
Tencent	Win32.Trojan-QQPass.QQRob.Psmw
Emsisoft	Gen:Variant.Fragtor.289150 (B)
F-Secure	Trojan.TR/AD.Nekark.lfcoo
VIPRE	Gen:Variant.Fragtor.289150
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
FireEye	Generic.mg.02eceb12980e60c1
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/AD.Nekark.lfcoo
MAX	malware (ai score=82)
Antiy-AVL	Trojan[PSW]/Win32.Raccoon
Microsoft	Trojan:Win32/Raccoon.CREC!MTB
ZoneAlarm	HEUR:Trojan-PSW.Win32.Raccoon.gen
GData	Gen:Variant.Fragtor.289150
AhnLab-V3	Trojan/Win.Raccoon.C5432015
McAfee	Artemis!02ECEB12980E
VBA32	BScope.TrojanDownloader.Agent
Cylance	unsafe
Rising	Trojan.Generic@AI.100 (RDML:fhOnm/cY/Nd8ag8Z8AxoUg)
BitDefenderTheta	Gen:NN.ZexaF.36196.@tW@a41Ad8ji
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

a03.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All