{"diagram": [{"nodes": [{"1044": [{"name": "dwwin.exe"}, {"pid": 1044}]}, {"992": [{"name": "d82791a7c79d04a.exe"}, {"pid": 992}]}]}, {"edges": {"9921044ProcessCreate": {"action": "ProcessCreate", "source": {"pid": "992", "name": "d82791a7c79d04a.exe"}, "destination": {"pid": "1044", "name": "dwwin.exe"}}, "9921044WriteMemory": {"action": "WriteMemory", "source": {"pid": "992", "name": "d82791a7c79d04a.exe"}, "destination": {"pid": "1044", "name": "dwwin.exe"}}}}], "manipulated_registry_keys": [{"Action": "DeleteValueKey", "Tid": "1004", "Pid": "992", "Details": "d82791a7c79d04a.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\DW\tValueName:DWFileTreeRoot\tKeyHandle:0x000000C4\tSTATUS:0x00000000\r\n", "Time": "375"}, {"Action": "SetValueKey", "Tid": "1080", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:AppData\tData:C:\\Documents and Settings\\Administrator\\Application Data\tKeyHandle:0x000006E8\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x00000072\tSTATUS:0x00000000\r\n", "Time": "968"}, {"Action": "SetValueKey", "Tid": "1080", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Personal\tData:C:\\Documents and Settings\\Administrator\\My Documents\tKeyHandle:0x000006E4\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x0000006A\tSTATUS:0x00000000\r\n", "Time": "968"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Cache\tData:C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\tKeyHandle:0x00000394\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x000000A0\tSTATUS:0x00000000\r\n", "Time": "1703"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\tValueName:Directory\tData:C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\tKeyHandle:0x00000390\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x000000B8\tSTATUS:0x00000000\r\n", "Time": "1703"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\tValueName:Paths\tData:(NULL)\tKeyHandle:0x00000390\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1703"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path1\tValueName:CachePath\tData:C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\\Cache1\tKeyHandle:0x0000038C\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n", "Time": "1703"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path2\tValueName:CachePath\tData:C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\\Cache2\tKeyHandle:0x00000388\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n", "Time": "1703"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path3\tValueName:CachePath\tData:C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\\Cache3\tKeyHandle:0x00000384\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n", "Time": "1703"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path4\tValueName:CachePath\tData:C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\\Cache4\tKeyHandle:0x00000380\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n", "Time": "1703"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path1\tValueName:CacheLimit\tData:(NULL)\tKeyHandle:0x0000038C\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1718"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path2\tValueName:CacheLimit\tData:(NULL)\tKeyHandle:0x00000388\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1718"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path3\tValueName:CacheLimit\tData:(NULL)\tKeyHandle:0x00000384\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1718"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path4\tValueName:CacheLimit\tData:(NULL)\tKeyHandle:0x00000380\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1718"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Cookies\tData:C:\\Documents and Settings\\Administrator\\Cookies\tKeyHandle:0x00000394\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x00000060\tSTATUS:0x00000000\r\n", "Time": "1718"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:History\tData:C:\\Documents and Settings\\Administrator\\Local Settings\\History\tKeyHandle:0x00000394\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x0000007E\tSTATUS:0x00000000\r\n", "Time": "1718"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tData:(NULL)\tKeyHandle:0x00000364\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1750"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tData:(NULL)\tKeyHandle:0x00000364\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1750"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tData:(NULL)\tKeyHandle:0x00000364\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1750"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tData:(NULL)\tKeyHandle:0x00000364\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1765"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tData:(NULL)\tKeyHandle:0x00000364\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1765"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tData:(NULL)\tKeyHandle:0x00000364\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1765"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Common AppData\tData:C:\\Documents and Settings\\All Users\\Application Data\tKeyHandle:0x000002CC\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x0000006A\tSTATUS:0x00000000\r\n", "Time": "1921"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:AppData\tData:C:\\Documents and Settings\\Administrator\\Application Data\tKeyHandle:0x00000278\tTitleIndex:0x00000000\tType:0x00000001\tDataSize:0x00000072\tSTATUS:0x00000000\r\n", "Time": "1921"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:MigrateProxy\tData:(NULL)\tKeyHandle:0x00000274\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1921"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:ProxyEnable\tData:(NULL)\tKeyHandle:0x00000274\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1921"}, {"Action": "DeleteValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:ProxyServer\tKeyHandle:0x00000274\tSTATUS:0x00000000\r\n", "Time": "1921"}, {"Action": "DeleteValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:ProxyOverride\tKeyHandle:0x00000274\tSTATUS:0x00000000\r\n", "Time": "1921"}, {"Action": "DeleteValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:AutoConfigURL\tKeyHandle:0x00000274\tSTATUS:0x00000000\r\n", "Time": "1921"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\tValueName:ProxyEnable\tData:(NULL)\tKeyHandle:0x00000264\tTitleIndex:0x00000000\tType:0x00000004\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "1921"}, {"Action": "SetValueKey", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\tValueName:SavedLegacySettings\tData:(NULL)\tKeyHandle:0x00000234\tTitleIndex:0x00000000\tType:0x00000003\tDataSize:0x00000038\tSTATUS:0x00000000\r\n", "Time": "1921"}], "malware_modified_file": [{"Action": "OpenCreate", "Tid": "1004", "Pid": "992", "Details": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "640"}, {"Action": "WriteFile", "Tid": "1004", "Pid": "992", "Details": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:2\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "640"}, {"Action": "WriteFile", "Tid": "1004", "Pid": "992", "Details": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:106\tByteOffset:2\tSTATUS:0x00000000\r\n", "Time": "640"}, {"Action": "WriteFile", "Tid": "1004", "Pid": "992", "Details": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:130\tByteOffset:108\tSTATUS:0x00000000\r\n", "Time": "656"}, {"Action": "WriteFile", "Tid": "1004", "Pid": "992", "Details": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:432\tByteOffset:238\tSTATUS:0x00000000\r\n", "Time": "656"}, {"Action": "WriteFile", "Tid": "1004", "Pid": "992", "Details": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:126\tByteOffset:1594\tSTATUS:0x00000000\r\n", "Time": "718"}, {"Action": "WriteFile", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:32\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "1562"}, {"Action": "WriteFile", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:4\tByteOffset:2976\tSTATUS:0x00000000\r\n", "Time": "1562"}, {"Action": "WriteFile", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:716\tByteOffset:4604\tSTATUS:0x00000000\r\n", "Time": "1562"}, {"Action": "WriteFile", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:8568\tByteOffset:7703\tSTATUS:0x00000000\r\n", "Time": "1609"}, {"Action": "WriteFile", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:11820\tByteOffset:16927\tSTATUS:0x00000000\r\n", "Time": "1609"}], "malware_behaviors": [[{"id": 42}, {"title": "Reads an ini file"}, {"threat": 1}, {"rows": [[{"Action": "ReadFile"}, {"Time": "2125"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\WINDOWS\\win.ini\tLength:477\tByteOffset:0\tSTATUS:0x00000000\r\n"}]]}], [{"id": 18}, {"title": "Tries to write to foreign memory regions"}, {"threat": 2}, {"rows": [[{"Action": "WriteMemory"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPID:1044\tTargetName:dwwin.exe\tBaseAddress:65536\tSTATUS:0x00000000\tBuffer:[0000003D][00000000][0000003A][00000000][0000003A][00000000][0000003D][00000000][0000003A][00000000][0000003A][00000000][0000005C][00000000][00000000][00000000][0000003D][00000000][00000043][00000000][0000003A][00000000][0000003D][00000000][00000043][00000000][0000003A][00000000][0000005C][00000000][00000053][00000000][00000068][00000000][00000061][00000000][00000072][00000000][00000065][00000000][0000005C][00000000][0000006E][00000000][00000065][00000000][00000077][00000000][0000005F][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000]\r\n"}], [{"Action": "WriteMemory"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPID:1044\tTargetName:dwwin.exe\tBaseAddress:131072\tSTATUS:0x00000000\tBuffer:[00000000][00000010][00000000][00000000][000000C4][00000006][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000001][00000000][00000032][00000000][00000000][00000000][00000000][00000000][00000003][00000000][00000000][00000000][00000007][00000000][00000000][00000000][0000000B][00000000][00000000][00000000][00000026][00000000][00000008][00000002][00000090][00000002][00000000][00000000][0000000E][00000000][00000000][00000000][0000003E][00000001][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000]\r\n"}], [{"Action": "WriteMemory"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPID:1044\tTargetName:dwwin.exe\tBaseAddress:2147336208\tSTATUS:0x00000000\tBuffer:[00000000][00000000][00000002][00000000][00000000][00000000][00000000][00000000]\r\n"}], [{"Action": "WriteMemory"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPID:1044\tTargetName:dwwin.exe\tBaseAddress:196608\tSTATUS:0x00000000\tBuffer:[00000053][00000000][00000068][00000000][00000069][00000000][0000006D][00000000][00000045][00000000][0000006E][00000000][00000067][00000000][0000002E][00000000][00000064][00000000][0000006C][00000000][0000006C][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000]\r\n"}], [{"Action": "WriteMemory"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPID:1044\tTargetName:dwwin.exe\tBaseAddress:2147336680\tSTATUS:0x00000000\tBuffer:[00000000][00000000][00000003][00000000][00000000][00000000][00000000][00000000]\r\n"}], [{"Action": "WriteMemory"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPID:1044\tTargetName:dwwin.exe\tBaseAddress:1376256\tSTATUS:0x00000000\tBuffer:[00000043][0000003A][0000005C][00000055][00000073][00000065][00000072][00000041][00000063][00000063][0000006F][00000075][0000006E][00000074][00000053][00000063][00000061][0000006E][0000006E][00000065][00000072][00000032][0000002E][00000064][0000006C][0000006C][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000][00000000]\r\n"}]]}], [{"id": 2}, {"title": "Tries to create temporary file"}, {"threat": 1}, {"rows": [[{"Action": "WriteFile"}, {"Time": "640"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:2\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "640"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:106\tByteOffset:2\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "656"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:130\tByteOffset:108\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "656"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:432\tByteOffset:238\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "718"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\tLength:126\tByteOffset:1594\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "1562"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:32\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "1562"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:4\tByteOffset:2976\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "1562"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:716\tByteOffset:4604\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "1609"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:8568\tByteOffset:7703\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "1609"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\tLength:11820\tByteOffset:16927\tSTATUS:0x00000000\r\n"}]]}], [{"id": 57}, {"title": "Create Mutex"}, {"threat": 2}, {"rows": [[{"Action": "CreateMutant"}, {"Time": "343"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=Null\tpid:992\ttid:1004\taction:NtCreateMutant\tMutantHandle:0x0012EFA8\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0012EFC8\tMutantHandle__out:0x0012EFC8\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "343"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=Null\tpid:992\ttid:1004\taction:NtCreateMutant\tMutantHandle:0x0012EFA8\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0012EFC8\tMutantHandle__out:0x0012EFC8\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "343"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=Null\tpid:992\ttid:1004\taction:NtCreateMutant\tMutantHandle:0x0012EFA8\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0012EFC8\tMutantHandle__out:0x0012EFC8\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "578"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tPath=Null\tpid:992\ttid:1004\taction:NtCreateMutant\tMutantHandle:0x0012DFB8\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x7C81E4DF\tMutantHandle__out:0x7C81E4DF\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "875"}, {"Pid": "1044"}, {"Tid": "1080"}, {"Key": "dwwin.exe\tPath=Null\tpid:1044\ttid:1080\taction:NtCreateMutant\tMutantHandle:0x0013E9C0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:SHIMLIB_LOG_MUTEX\tInitialOwner:0\tMutantHandle_before:0x00000000\tMutantHandle__out:0x00000000\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "890"}, {"Pid": "1044"}, {"Tid": "1080"}, {"Key": "dwwin.exe\tPath=Null\tpid:1044\ttid:1080\taction:NtCreateMutant\tMutantHandle:0x0013F8D8\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x77260000\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "890"}, {"Pid": "1044"}, {"Tid": "1080"}, {"Key": "dwwin.exe\tPath=Null\tpid:1044\ttid:1080\taction:NtCreateMutant\tMutantHandle:0x0013F8CC\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesCacheCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x77260000\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "890"}, {"Pid": "1044"}, {"Tid": "1080"}, {"Key": "dwwin.exe\tPath=Null\tpid:1044\ttid:1080\taction:NtCreateMutant\tMutantHandle:0x0013F8CC\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesLockedCacheCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x77260000\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "968"}, {"Pid": "1044"}, {"Tid": "1080"}, {"Key": "dwwin.exe\tPath=Null\tpid:1044\ttid:1080\taction:NtCreateMutant\tMutantHandle:0x0013FDC4\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0013FF60\tMutantHandle__out:0x0013FF60\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "1765"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=Null\tpid:1044\ttid:1092\taction:NtCreateMutant\tMutantHandle:0x00C2E880\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x00000368\tMutantHandle__out:0x00000368\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "1765"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=Null\tpid:1044\ttid:1092\taction:NtCreateMutant\tMutantHandle:0x00C2D288\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x76EB0000\tMutantHandle__out:0x76EB0000\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "1765"}, {"Pid": "1044"}, {"Tid": "1092"}, {"Key": "dwwin.exe\tPath=Null\tpid:1044\ttid:1092\taction:NtCreateMutant\tMutantHandle:0x00C2D224\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:RasPbFile\tInitialOwner:0\tMutantHandle_before:0x00000000\tMutantHandle__out:0x00000000\tSTATUS:0x00000000\r\n"}]]}], [{"id": 19}, {"title": "Tries to create a thread in another existing process"}, {"threat": 3}, {"rows": [[{"Action": "ThreadCreate"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPid:1044\tThreadId:1080\r\n"}], [{"Action": "ThreadCreate"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPid:1044\tThreadId:1088\r\n"}]]}], [{"id": 4}, {"title": "Tries to spawn process"}, {"threat": 1}, {"rows": [[{"Action": "ProcessCreate"}, {"Time": "828"}, {"Pid": "992"}, {"Tid": "1004"}, {"Key": "d82791a7c79d04a.exe\tTargetPid:1044\tTargetName:dwwin.exe\tCommandLine:\"C:\\Share\\new_sandBoxLog\\d82791a7c79d04a.exe\" \tDebugMode:0\r\n"}]]}]], "malware_processes": {"0": {"LinkID": 0, "Source": " ", "Time": "312", "Action": " ", "ProcessIDdest": "992", "ProcessNameDest": "d82791a7c79d04a.exe"}, "1": {"LinkID": 547, "Destination": "dwwin.exe[1044]", "Source": "d82791a7c79d04a.exe[992]", "Time": "828", "Action": "WriteMemory", "ProcessIDdest": "1044", "ProcessNameDest": "dwwin.exe"}}, "benign_behaviors": [], "all_processes": [{"Process Name": "csrss.exe", "PID": 620, "Registry": 100, "File": 416, "Memory": 66}, {"Process Name": "svchost.exe", "PID": 852, "Registry": 36, "File": 0, "Memory": 0}, {"Process Name": "d82791a7c79d04a.exe", "PID": 992, "Registry": 0, "File": 0, "Memory": 2}, {"Process Name": "fltMc.exe", "PID": 560, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "explorer.exe", "PID": 1428, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "python.exe", "PID": 1628, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "lsass.exe", "PID": 700, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "System", "PID": 4, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "wuauclt.exe", "PID": 1820, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "sqlservr.exe", "PID": 2000, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "winlogon.exe", "PID": 644, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "dwwin.exe", "PID": 1044, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "svchost.exe", "PID": 932, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "svchost.exe", "PID": 1016, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "lsass.exe", "PID": 916, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "spoolsv.exe", "PID": 1528, "Registry": 0, "File": 4, "Memory": 0}, {"Process Name": "services.exe", "PID": 688, "Registry": 0, "File": 0, "Memory": 0}], "malware_created_file": [{"Action": "OpenCreate", "Tid": "1004", "Pid": "992", "Details": "d82791a7c79d04a.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3b4a_appcompat.txt\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "625"}, {"Action": "OpenCreate", "Tid": "1092", "Pid": "1044", "Details": "dwwin.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\23A6F.dmp\t-/-FileAttribute:\tFILE_ATTRIBUTE_TEMPORARY\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "1031"}]}