Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 21, 2021, 11:39 p.m.	Nov. 21, 2021, 11:41 p.m.

Size	6.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`426fd133506f9bec04b326330e2b31a9`
SHA256	`357f1b029541bda80fb1b5dc0c099069f32c93ac182a16219fb30d50229fd498`
CRC32	`CD4D6A43`
ssdeep	`98304:0SiSFxonB+Wh4y5C9etJ4PlsczYNz1bhkPf+lMF8PRGAlWDjzK4f:IExy89m2SczYNcPmlMcGNHN`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Setup_WinThruster_2021.exe "C:\Users\test22\AppData\Local\Temp\Setup_WinThruster_2021.exe"
2780
- Setup_WinThruster_2021.tmp "C:\Users\test22\AppData\Local\Temp\is-QK5M8.tmp\Setup_WinThruster_2021.tmp" /SL5="$B0138,5514338,878080,C:\Users\test22\AppData\Local\Temp\Setup_WinThruster_2021.exe"
  2864
  - WTNotifications.exe "C:\Program Files (x86)\WinThruster\WTNotifications.exe"
    3004
explorer.exe C:\Windows\Explorer.EXE
1156
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2304
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2304 CREDAT:145409
  2436
schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "WinThruster automatic scan and notifications" /TR "\"C:\Program Files (x86)\WinThruster\WTNotifications.exe\"" /SC ONLOGON /RL HIGHEST /F
2728

Name	Response	Post-Analysis Lookup
www.google-analytics.com	CNAME www-google-analytics.l.google.com A 142.250.199.78	172.217.161.46
www.googletagmanager.com	CNAME www-googletagmanager.l.google.com A 142.250.204.40	142.250.196.104
www.clarity.ms	A 104.212.68.7 CNAME global-geo-afdthirdparty-unicast.trafficmanager.net CNAME bom02r3a.msedge.net CNAME clarity.azurefd.net	104.212.68.19
apis.google.com	A 216.58.200.78 CNAME plus.l.google.com	142.250.196.142
www.googlecommerce.com	A 142.250.204.78 CNAME www3.l.google.com	172.217.31.174
cdn.ywxi.net	CNAME dtx9pzf7ji0d9.cloudfront.net A 52.84.166.90 A 52.84.166.24 A 52.84.166.21 A 52.84.166.84	54.230.168.125
subscriptions.avqtools.com	A 116.203.251.147	116.203.251.147
stats.avqtools.com	A 116.203.251.147	116.203.251.147
www.google.com	A 142.250.204.100	142.250.196.132
www.solvusoft.com	CNAME www.solvusoft.com.edgekey.net A 104.75.23.156 CNAME e14078.f.akamaiedge.net	104.75.23.156
www.youtube.com	A 172.217.31.238 A 142.250.207.78 A 172.217.24.238 A 142.250.204.110 A 172.217.25.14 A 172.217.24.110 A 142.250.66.142 A 142.250.199.78 A 142.250.204.46 A 142.250.204.78 A 142.250.66.78 A 142.250.66.46 A 142.250.66.110 A 172.217.174.206 CNAME youtube-ui.l.google.com A 142.250.204.142 A 172.217.24.78	172.217.175.110

IP Address	Status	Action
104.212.68.7	Active	Moloch
104.75.23.156	Active	Moloch
116.203.251.147	Active	Moloch
117.18.232.200	Active	Moloch
142.250.199.78	Active	Moloch
142.250.204.100	Active	Moloch
142.250.204.40	Active	Moloch
142.250.204.78	Active	Moloch
164.124.101.2	Active	Moloch
172.217.31.238	Active	Moloch
216.58.200.78	Active	Moloch
52.84.166.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49189 -> 104.75.23.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 104.75.23.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49194 -> 52.84.166.84:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 104.75.23.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 52.84.166.84:443 -> 192.168.56.101:49196	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 172.217.31.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 52.84.166.84:443	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49192 -> 52.84.166.84:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 142.250.204.100:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 52.84.166.84:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 172.217.31.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 216.58.200.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 142.250.204.40:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 104.75.23.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 104.75.23.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 142.250.199.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 104.75.23.156:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 52.84.166.84:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 142.250.204.40:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 142.250.204.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 142.250.204.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 52.84.166.84:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 142.250.199.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 52.84.166.84:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 142.250.204.100:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 216.58.200.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 116.203.251.147:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 104.212.68.7:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 116.203.251.147:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 104.212.68.7:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 116.203.251.147:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49189 104.75.23.156:443	None	None	None
TLSv1 192.168.56.101:49188 104.75.23.156:443	None	None	None
TLSv1 192.168.56.101:49190 104.75.23.156:443	None	None	None
TLSv1 192.168.56.101:49216 172.217.31.238:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	02:64:ca:2e:8a:2f:bb:c4:97:9d:a7:ac:2b:47:ff:de:28:0e:71:b1
TLSv1 192.168.56.101:49223 142.250.204.100:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	c3:ee:b4:93:eb:c8:75:f9:66:66:54:fe:b1:f8:d0:42:a7:e3:a5:fe
TLSv1 192.168.56.101:49215 172.217.31.238:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	02:64:ca:2e:8a:2f:bb:c4:97:9d:a7:ac:2b:47:ff:de:28:0e:71:b1
TLSv1 192.168.56.101:49225 216.58.200.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.apis.google.com	24:5f:7f:45:30:a6:80:06:3a:02:b0:fb:a4:0a:5a:a5:bf:7a:26:ee
TLSv1 192.168.56.101:49201 142.250.204.40:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google-analytics.com	46:9f:a6:8f:d4:0c:51:2c:3d:40:b7:40:b5:fe:3d:5f:cc:4c:2c:98
TLSv1 192.168.56.101:49213 142.250.199.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google-analytics.com	46:9f:a6:8f:d4:0c:51:2c:3d:40:b7:40:b5:fe:3d:5f:cc:4c:2c:98
TLSv1 192.168.56.101:49184 104.75.23.156:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Nevada, serialNumber=E0460582008-6, C=US, ST=Nevada, L=Las Vegas, O=Solvusoft Corporation, OU=Internet Security, CN=solvusoft.com	1d:57:2c:e3:be:6f:a6:61:65:66:05:5e:d3:2c:45:58:6e:58:ef:1c
TLSv1 192.168.56.101:49185 104.75.23.156:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Nevada, serialNumber=E0460582008-6, C=US, ST=Nevada, L=Las Vegas, O=Solvusoft Corporation, OU=Internet Security, CN=solvusoft.com	1d:57:2c:e3:be:6f:a6:61:65:66:05:5e:d3:2c:45:58:6e:58:ef:1c
TLSv1 192.168.56.101:49200 142.250.204.40:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google-analytics.com	46:9f:a6:8f:d4:0c:51:2c:3d:40:b7:40:b5:fe:3d:5f:cc:4c:2c:98
TLSv1 192.168.56.101:49208 142.250.204.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	02:64:ca:2e:8a:2f:bb:c4:97:9d:a7:ac:2b:47:ff:de:28:0e:71:b1
TLSv1 192.168.56.101:49209 142.250.204.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	02:64:ca:2e:8a:2f:bb:c4:97:9d:a7:ac:2b:47:ff:de:28:0e:71:b1
TLSv1 192.168.56.101:49191 104.75.23.156:443	None	None	None
TLSv1 192.168.56.101:49214 142.250.199.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google-analytics.com	46:9f:a6:8f:d4:0c:51:2c:3d:40:b7:40:b5:fe:3d:5f:cc:4c:2c:98
TLSv1 192.168.56.101:49222 142.250.204.100:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	c3:ee:b4:93:eb:c8:75:f9:66:66:54:fe:b1:f8:d0:42:a7:e3:a5:fe
TLSv1 192.168.56.101:49224 216.58.200.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.apis.google.com	24:5f:7f:45:30:a6:80:06:3a:02:b0:fb:a4:0a:5a:a5:bf:7a:26:ee

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 21, 2021, 11:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 21, 2021, 11:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 21, 2021, 11:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 21, 2021, 11:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 21, 2021, 11:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 21, 2021, 11:39 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 21, 2021, 11:39 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 21, 2021, 11:39 p.m.	buffer: SUCCESS: The scheduled task "WinThruster automatic scan and notifications" has successfully been created. console_handle: 0x00000007	1	1	0

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Nov. 21, 2021, 11:39 p.m.	stacktrace: TMethodImplementationIntercept+0x1fa2eb dbkFCallWrapperAddr-0xf5be1 wtnotifications+0x264a5f @ 0x664a5f TMethodImplementationIntercept+0x1fa524 dbkFCallWrapperAddr-0xf59a8 wtnotifications+0x264c98 @ 0x664c98 TMethodImplementationIntercept+0x204391 dbkFCallWrapperAddr-0xebb3b wtnotifications+0x26eb05 @ 0x66eb05 TMethodImplementationIntercept+0x203a13 dbkFCallWrapperAddr-0xec4b9 wtnotifications+0x26e187 @ 0x66e187 TMethodImplementationIntercept+0x2040f6 dbkFCallWrapperAddr-0xebdd6 wtnotifications+0x26e86a @ 0x66e86a TMethodImplementationIntercept+0x2047d5 dbkFCallWrapperAddr-0xeb6f7 wtnotifications+0x26ef49 @ 0x66ef49 TMethodImplementationIntercept+0x208c19 dbkFCallWrapperAddr-0xe72b3 wtnotifications+0x27338d @ 0x67338d TMethodImplementationIntercept+0x2ada7c dbkFCallWrapperAddr-0x42450 wtnotifications+0x3181f0 @ 0x7181f0 TMethodImplementationIntercept+0x43478 dbkFCallWrapperAddr-0x2aca54 wtnotifications+0xadbec @ 0x4adbec __dbk_fcall_wrapper-0x6c92 wtnotifications+0x9916 @ 0x409916 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 77527884 registers.edi: 39374864 registers.eax: 77527884 registers.ebp: 77527964 registers.edx: 0 registers.ebx: 12030 registers.esi: 39375072 registers.ecx: 7	1
__exception__ Nov. 21, 2021, 11:39 p.m.	stacktrace: TMethodImplementationIntercept+0x1fa2eb dbkFCallWrapperAddr-0xf5be1 wtnotifications+0x264a5f @ 0x664a5f TMethodImplementationIntercept+0x1fa524 dbkFCallWrapperAddr-0xf59a8 wtnotifications+0x264c98 @ 0x664c98 TMethodImplementationIntercept+0x204391 dbkFCallWrapperAddr-0xebb3b wtnotifications+0x26eb05 @ 0x66eb05 TMethodImplementationIntercept+0x203a13 dbkFCallWrapperAddr-0xec4b9 wtnotifications+0x26e187 @ 0x66e187 TMethodImplementationIntercept+0x2040f6 dbkFCallWrapperAddr-0xebdd6 wtnotifications+0x26e86a @ 0x66e86a TMethodImplementationIntercept+0x2047d5 dbkFCallWrapperAddr-0xeb6f7 wtnotifications+0x26ef49 @ 0x66ef49 TMethodImplementationIntercept+0x209ee9 dbkFCallWrapperAddr-0xe5fe3 wtnotifications+0x27465d @ 0x67465d TMethodImplementationIntercept+0x20a04e dbkFCallWrapperAddr-0xe5e7e wtnotifications+0x2747c2 @ 0x6747c2 TMethodImplementationIntercept+0x209b71 dbkFCallWrapperAddr-0xe635b wtnotifications+0x2742e5 @ 0x6742e5 TMethodImplementationIntercept+0x2adac6 dbkFCallWrapperAddr-0x42406 wtnotifications+0x31823a @ 0x71823a TMethodImplementationIntercept+0x43478 dbkFCallWrapperAddr-0x2aca54 wtnotifications+0xadbec @ 0x4adbec __dbk_fcall_wrapper-0x6c92 wtnotifications+0x9916 @ 0x409916 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 77527792 registers.edi: 39374864 registers.eax: 77527792 registers.ebp: 77527872 registers.edx: 0 registers.ebx: 12030 registers.esi: 39375072 registers.ecx: 7	1
__exception__ Nov. 21, 2021, 11:40 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 109180100 registers.edi: 79591732 registers.eax: 109180100 registers.ebp: 109180180 registers.edx: 187 registers.ebx: 109180464 registers.esi: 2147746133 registers.ecx: 79496568	1
__exception__ Nov. 21, 2021, 11:40 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7234540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x723452ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72420ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 72537904 registers.edi: 1988295184 registers.eax: 72537904 registers.ebp: 72537984 registers.edx: 1 registers.ebx: 5443508 registers.esi: 2147746133 registers.ecx: 2694174469	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (50 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://www.solvusoft.com/en/winthruster/install/
request	GET https://www.solvusoft.com/winthruster/css/styles.css
request	GET https://www.solvusoft.com/css/buttons.css
request	GET https://www.solvusoft.com/css/mobile.css
request	GET https://www.solvusoft.com/css/960grid.css
request	GET https://www.solvusoft.com/css/IE9styles.css
request	GET https://www.solvusoft.com/winthruster/js/jquery-1.10.1.min.js
request	GET https://www.solvusoft.com/winthruster/js/jquery.fancybox.js
request	GET https://www.solvusoft.com/winthruster/css/fancybox.css
request	GET https://www.solvusoft.com/winthruster/images/logo.png
request	GET https://www.solvusoft.com/winthruster/images/icon-large-computer.png
request	GET https://www.solvusoft.com/images/logo-ibm.png
request	GET https://www.solvusoft.com/images/logo-asp.png
request	GET https://www.solvusoft.com/images/logo-microsoft.png
request	GET https://www.solvusoft.com/images/logo-bbb.png
request	GET https://www.solvusoft.com/images/icon-rss.png
request	GET https://www.solvusoft.com/images/icon-facebook.png
request	GET https://www.solvusoft.com/images/icon-twitter.png
request	GET https://www.solvusoft.com/images/logo-apple.png
request	GET https://www.solvusoft.com/images/icon-mail.png
request	GET https://www.solvusoft.com/winthruster/images/logo-winthruster.png
request	GET https://www.solvusoft.com/winthruster/images/icon-large-search.png
request	GET https://www.solvusoft.com/winthruster/images/icon-large-tools.png
request	GET https://www.solvusoft.com/scripts/jquery.cookie.js
request	GET https://www.solvusoft.com/scripts/tools/SS_Vtv.js?_=1637521159504
request	GET https://www.solvusoft.com/winthruster/images/bullet-bolt.png
request	GET https://www.solvusoft.com/winthruster/images/bullet-graph.png
request	GET https://www.solvusoft.com/winthruster/images/bullet-tv.png
request	GET https://www.solvusoft.com/winthruster/images/bullet-clock.png
request	GET https://www.solvusoft.com/winthruster/images/bullet-tools.png
request	GET https://www.solvusoft.com/winthruster/images/bullet-wand.png
request	GET https://www.solvusoft.com/winthruster/images/bullet-user.png
request	GET https://www.solvusoft.com/images/btn-medium-arrow-right.png
request	GET https://www.solvusoft.com/winthruster/images/bullet-popup.png
request	GET https://www.solvusoft.com/favicon.ico
request	GET https://www.googletagmanager.com/gtm.js?id=GTM-PTV2B8
request	GET https://www.solvusoft.com/en/scripts/visitor.js?&ss_vid[res]=1365x1024x24&ss_vid[platform]=Win32&_=1637521159505
request	GET https://www.solvusoft.com/en/scripts/visitor.js?&ss_vid[res]=1365x1024x24&ss_vid[platform]=Win32
request	POST https://www.solvusoft.com/en/_ajax/record-page-view.php
request	GET https://www.youtube.com/iframe_api
request	GET https://www.googlecommerce.com/trustedstores/api/js
request	GET https://www.google-analytics.com/analytics.js
request	GET https://www.youtube.com/s/player/a4610635/www-widgetapi.vflset/www-widgetapi.js
request	GET https://www.google-analytics.com/plugins/ua/ec.js
request	GET https://www.google-analytics.com/plugins/ua/linkid.js
request	GET https://www.google.com/_/scs/shopping-verified-reviews-static/_/js/k=boq-shopping-verified-reviews.VerifiedReviewsGcrBootstrapJs.ko.yeQLJmsaiQg.es5.O/d=1/rs=AC8lLkTwCKOhX3RjWnUlQFyWOD1UNvva2w/m=bootstrap
request	GET https://apis.google.com/js/api.js
request	GET https://apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.ko.pt8_P9jS3ho.O/m=gapi_iframes/rt=j/sv=1/d=1/ed=1/am=AQ/rs=AGLTcCOJTgRWP4cQb29T7UM03E_6ZL8ECg/cb=gapi.loaded_0
request	GET https://www.google.com/shopping/customerreviews/proxy?ts_id=563148&usegapi=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.ko.pt8_P9jS3ho.O%2Fam%3DAQ%2Fd%3D1%2Frs%3DAGLTcCOJTgRWP4cQb29T7UM03E_6ZL8ECg%2Fm%3D__features__

Sends data using the HTTP POST Method (1 event)

request

POST https://www.solvusoft.com/en/_ajax/record-page-view.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 764 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 122880 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 3004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 region_size: 6754304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cf0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c2c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c2c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d39000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bf2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73552000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:40 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 region_size: 659456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c2c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c0c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c2c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d39000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bf2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bf7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76c0f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bf6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x766e3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7769d000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 21, 2021, 11:32 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13693648896 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2304 crashed
__exception__ Nov. 21, 2021, 11:40 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 109180100 registers.edi: 79591732 registers.eax: 109180100 registers.ebp: 109180180 registers.edx: 187 registers.ebx: 109180464 registers.esi: 2147746133 registers.ecx: 79496568	1	0	0
__exception__ Nov. 21, 2021, 11:40 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7234540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x723452ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72420ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 72537904 registers.edi: 1988295184 registers.eax: 72537904 registers.ebp: 72537984 registers.edx: 1 registers.ebx: 5443508 registers.esi: 2147746133 registers.ecx: 2694174469	1	0	0

Application Crash

Process iexplore.exe with pid 2304 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 21, 2021, 11:40 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 109180100
registers.edi: 79591732
registers.eax: 109180100
registers.ebp: 109180180
registers.edx: 187
registers.ebx: 109180464
registers.esi: 2147746133
registers.ecx: 79496568

__exception__

Nov. 21, 2021, 11:40 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7234540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x723452ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72420ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 72537904
registers.edi: 1988295184
registers.eax: 72537904
registers.ebp: 72537984
registers.edx: 1
registers.ebx: 5443508
registers.esi: 2147746133
registers.ecx: 2694174469

Steals private information from local Internet browsers (15 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Application Cache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sessions\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Session Storage\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Media Cache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\File System\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\

Creates executable files on the filesystem (15 events)

file	C:\Users\test22\Desktop\WinThruster.lnk
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\analytics[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\js[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\jquery.fancybox[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\jquery.cookie[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\api[1].js
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\WinThruster on the Web.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\WinThruster.lnk
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\jquery-1.10.1.min[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\m=bootstrap[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\iframe_api[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\linkid[1].js
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\Uninstall WinThruster.lnk
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\gtm[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\ec[1].js

Creates a shortcut to an executable file (4 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\WinThruster on the Web.lnk
file	C:\Users\test22\Desktop\WinThruster.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\Uninstall WinThruster.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\WinThruster.lnk

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-QK5M8.tmp\Setup_WinThruster_2021.tmp

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

DrWeb	Program.Unwanted.4865
ESET-NOD32	a variant of Win32/Avanquest.C potentially unwanted
Malwarebytes	PUP.Optional.WinThruster

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 21, 2021, 11:39 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x06fe0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 21, 2021, 11:39 p.m.	flags: 15 family: 0		111	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 57 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1		2
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1		2
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1		2
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1		2
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1		2
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1		2
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1		2
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\		2
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001b0 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001b4 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1 base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000001d0 options: 0 access: 0x00000110 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1} base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86417051FF} base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86417051FF}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3} base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C} base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-1000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-1000-0000000FF1CE}	1	0
RegOpenKeyExW Nov. 21, 2021, 11:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0000-1000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000204 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0000-1000-0000000FF1CE}	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2304 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Collects information about installed applications (41 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WinThruster v7.5.0.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x000001d0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 7 Update 51 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86417051FF}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Office 64-bit Components 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0000-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002A-0412-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.18 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	1
RegQueryValueExW Nov. 21, 2021, 11:39 p.m.	key_handle: 0x00000204 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2304 resumed a thread in remote process 2436
NtResumeThread Nov. 21, 2021, 11:39 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2436	1	0	0

Setup_WinThruster_2021.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All