Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 10, 2021, 6:01 p.m.	Nov. 10, 2021, 6:24 p.m.

Size	140.5KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`df90b2e12b0377db82d6a1cdcf3b8ad8`
SHA256	`f071bb54ef89464b10aec76d59532d8eb0087b32508a584fbf7a9e3f78cff9d0`
CRC32	`1965D29B`
ssdeep	`3072:DokUrHT0ex88T3EujO/UXQ5HDwu6i/tKAz/IO4hblzvuPL1zJ:DokUDT0rg3EcO/UX0suTIO0zvuPL1z`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

8071_1636483658_131.exe "C:\Users\test22\AppData\Local\Temp\8071_1636483658_131.exe"
2308

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.92.73.142	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 10, 2021, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 10, 2021, 5:54 p.m.			0	0
IsDebuggerPresent Nov. 10, 2021, 5:54 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (39 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000007132b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000713860 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000713860 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000713da0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000713e10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000713e10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000713e10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba002e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba002e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000713e10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fe80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fe80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fe80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fe80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba5fef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000007131d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000007131d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000007131d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000007131d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001baa6be0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001baa6be0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 10, 2021, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001baa7580 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 10, 2021, 5:54 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 10, 2021, 5:55 p.m.	stacktrace: 0x7fe9353d11a 0x7fe9353c989 0x7fe9353c835 0x7fe9353c432 0x7fe9353bdbf 0x7fe93532d36 0x7fe9352a44a 0x7fe93527ff3 0x7fe93527199 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bbf713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bbf242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef2c0b042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef2c0ad83 mscorlib+0x563bfc @ 0x7fef1a73bfc mscorlib+0x486001 @ 0x7fef1996001 0x7fe9352714c mscorlib+0x4ef8a5 @ 0x7fef19ff8a5 mscorlib+0x4ef609 @ 0x7fef19ff609 mscorlib+0x4ef5c7 @ 0x7fef19ff5c7 mscorlib+0xd5159d @ 0x7fef226159d CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bbf713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bbf242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef2bbf30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef2d86291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2c66d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2c66d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2c66c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2c66dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef2d86175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef2cf66ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76da652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x770fc521 exception.instruction_r: 48 8b 40 08 48 8b 40 08 48 89 45 08 90 48 8b 45 exception.instruction: mov rax, qword ptr [rax + 8] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe9353d11a registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 488111888 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 10, 2021, 5:55 p.m.

stacktrace:

0x7fe9353d11a
0x7fe9353c989
0x7fe9353c835
0x7fe9353c432
0x7fe9353bdbf
0x7fe93532d36
0x7fe9352a44a
0x7fe93527ff3
0x7fe93527199
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bbf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bbf242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef2c0b042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef2c0ad83
mscorlib+0x563bfc @ 0x7fef1a73bfc
mscorlib+0x486001 @ 0x7fef1996001
0x7fe9352714c
mscorlib+0x4ef8a5 @ 0x7fef19ff8a5
mscorlib+0x4ef609 @ 0x7fef19ff609
mscorlib+0x4ef5c7 @ 0x7fef19ff5c7
mscorlib+0xd5159d @ 0x7fef226159d
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef2bbf713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef2bbf242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef2bbf30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef2d86291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef2c66d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef2c66d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef2c66c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef2c66dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef2d86175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef2cf66ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76da652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x770fc521

exception.instruction_r: 48 8b 40 08 48 8b 40 08 48 89 45 08 90 48 8b 45
exception.instruction: mov rax, qword ptr [rax + 8]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe9353d11a
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 488111888
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 107 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b71000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef320b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002300000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b72000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b74000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b74000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b74000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b74000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9340c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93521000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9341b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9344c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9341d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe933fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93527000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9340d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93528000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 10, 2021, 5:54 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9344d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

8071_1636483658_131.exe tried to sleep 231 seconds, actually delayed analysis time by 231 seconds

Steals private information from local Internet browsers (50 out of 61 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\
file	C:\Users\test22\AppData\Local\Google\Chrome\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00022a00', u'virtual_address': u'0x00002000', u'entropy': 7.673704534893341, u'name': u'.text', u'virtual_size': u'0x0002285c'}

entropy

7.67370453489

description

A section with a high entropy has been found

entropy

0.989285714286

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 10, 2021, 5:55 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (25 events)

Time & API	Arguments	Status
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0xffffffff80000002 key_handle: 0x0000000000000338 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: 7-Zip base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: AddressBook base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: Connection Manager base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: DirectDrawEx base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: Fontcore base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: HashTab base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: IE40 base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: IE4Data base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: IE5BAKEX base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: IEData base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: MobileOptionPack base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: MozillaMaintenanceService base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: SchedulingAgent base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: WIC base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1} base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3} base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C} base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {90150000-002A-0000-1000-0000000FF1CE} base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {90150000-002A-0409-1000-0000000FF1CE} base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {90150000-0116-0409-1000-0000000FF1CE} base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042 base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6} base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}	1
RegOpenKeyExW Nov. 10, 2021, 5:55 p.m.	regkey_r: {EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04} base_handle: 0x0000000000000338 key_handle: 0x0000000000000334 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}	1

Communicates with host for which no DNS query was performed (1 event)

host

185.92.73.142

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (13 events)

Time & API	Arguments	Status
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 19.00 (x64) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HashTab 6.0.0.34 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HashTab\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Maintenance Service regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 KOR Language Pack regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office 64-bit Components 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft .NET Framework 4.5 한국어 언어 팩 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Python 2.7.18 (64-bit) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	1
RegQueryValueExW Nov. 10, 2021, 5:55 p.m.	key_handle: 0x0000000000000334 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}\DisplayName	1

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.df90b2e12b0377db
McAfee	Artemis!DF90B2E12B03
Cyren	W64/MSIL_Kryptik.DJR.gen!Eldorado
ESET-NOD32	a variant of MSIL/Kryptik.ACJJ
APEX	Malicious
Kaspersky	HEUR:Backdoor.MSIL.Androm.gen
Avast	FileRepMalware
Emsisoft	Trojan.Crypt (A)
F-Secure	Heuristic.HEUR/AGEN.1142184
McAfee-GW-Edition	Artemis!Trojan
Sophos	ML/PE-A
Ikarus	Trojan-Spy.Agent
eGambit	Unsafe.AI_Score_99%
Avira	HEUR/AGEN.1142184
Microsoft	Trojan:MSIL/Reline.BE!MTB
ZoneAlarm	HEUR:Backdoor.MSIL.Androm.gen
Cynet	Malicious (score: 99)
Malwarebytes	Trojan.Crypt.MSIL.Generic
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware
Cybereason	malicious.a004ec

8071_1636483658_131.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All