Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 19, 2022, 11:31 a.m.	Jan. 19, 2022, 11:45 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7fa457acce5d5487edb709a286052b79`
SHA256	`d87651d0c192db36871a32659dbc4329e673136e9465f9ed6058f21f87abdd46`
CRC32	`6BBA6A53`
ssdeep	`24576:Zjnm/gTcGACy6/jIliHtLZUSZ/siunRbp9hsJsJcQlDZSRCOfNxC9RNSwoR5Hbqs:Zjnm/gT+CySjEiNLZUKUDH9h4sJcQ5Ex`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
2328
- cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\1.exe"
  2576
  - timeout.exe timeout /T 10 /NOBREAK
    2636

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
162.159.137.85	Active	Moloch
185.163.204.212	Active	Moloch
185.163.204.22	Active	Moloch
193.122.6.168	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 19, 2022, 11:31 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 19, 2022, 11:31 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (23 events)

Time & API	Arguments	Status
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 10 eb 01 2c 64 8f 00 eb 04 f0 ba 7b 4d 83 c4 exception.symbol: 1+0x19c066 exception.instruction: mov edx, dword ptr [eax] exception.module: 1.exe exception.exception_code: 0xc0000005 exception.offset: 1687654 exception.address: 0x59c066 registers.esp: 2686848 registers.edi: 0 registers.eax: 0 registers.ebp: 2686868 registers.edx: 5881856 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 00 eb 03 2d cc 7d 64 8f 00 eb 02 29 89 83 c4 exception.symbol: 1+0x19ca9a exception.instruction: mov eax, dword ptr [eax] exception.module: 1.exe exception.exception_code: 0xc0000005 exception.offset: 1690266 exception.address: 0x59ca9a registers.esp: 2686816 registers.edi: 0 registers.eax: 0 registers.ebp: 2686868 registers.edx: 4294901775 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: exception.instruction_r: 8b 11 eb 02 03 72 e9 25 fb ff ff eb 02 3e db f9 exception.symbol: 1+0x19eb7b exception.instruction: mov edx, dword ptr [ecx] exception.module: 1.exe exception.exception_code: 0xc0000005 exception.offset: 1698683 exception.address: 0x59eb7b registers.esp: 2686816 registers.edi: 5968257 registers.eax: 0 registers.ebp: 4286919083 registers.edx: 5892559 registers.ebx: 9043968 registers.esi: 5883417 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: exception.instruction_r: 0f 0b eb 02 29 bf 0f 0b eb 02 20 75 e9 d7 fd ff exception.symbol: 1+0x19e8b9 exception.instruction: ud2 exception.module: 1.exe exception.exception_code: 0xc000001d exception.offset: 1697977 exception.address: 0x59e8b9 registers.esp: 2686816 registers.edi: 7340032 registers.eax: 678683042 registers.ebp: 4286919083 registers.edx: 7340032 registers.ebx: 9043968 registers.esi: 7340452 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 1+0x19ec80 @ 0x59ec80 exception.instruction_r: 0f 0b eb 03 30 a3 f5 0f 0b eb 05 13 92 d7 cf 85 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x7041ee registers.esp: 2686480 registers.edi: 9059596 registers.eax: 0 registers.ebp: 2686796 registers.edx: 5891587 registers.ebx: 7340452 registers.esi: 4286974681 registers.ecx: 235	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x772f6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x772f6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73f3482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x772c0143 1+0x19ec80 @ 0x59ec80 exception.instruction_r: f7 f0 eb 03 d3 32 38 eb 04 13 af 45 92 eb 02 c0 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x70437f registers.esp: 2684688 registers.edi: 0 registers.eax: 0 registers.ebp: 2684704 registers.edx: 5891587 registers.ebx: 7357200 registers.esi: 0 registers.ecx: 2685356	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: exception.instruction_r: 8b 11 eb 01 29 e9 2b f1 ff ff eb 01 d2 55 eb 03 exception.symbol: 1+0x1a1666 exception.instruction: mov edx, dword ptr [ecx] exception.module: 1.exe exception.exception_code: 0xc0000005 exception.offset: 1709670 exception.address: 0x5a1666 registers.esp: 2686816 registers.edi: 9068360 registers.eax: 92 registers.ebp: 4286925130 registers.edx: 5900162 registers.ebx: 9043968 registers.esi: 7340452 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 1+0x1a089d @ 0x5a089d exception.instruction_r: 8b 11 eb 02 00 b1 e9 5a 05 00 00 eb 01 26 8b c6 exception.symbol: 1+0x1a0bd4 exception.instruction: mov edx, dword ptr [ecx] exception.module: 1.exe exception.exception_code: 0xc0000005 exception.offset: 1706964 exception.address: 0x5a0bd4 registers.esp: 2686704 registers.edi: 9068360 registers.eax: 167565902 registers.ebp: 2686796 registers.edx: 5901550 registers.ebx: 7340452 registers.esi: 4194304 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: exception.instruction_r: 0f 0b eb 02 80 2e 0f 0b eb 01 6b e9 d1 02 00 00 exception.symbol: 1+0x1a08d7 exception.instruction: ud2 exception.module: 1.exe exception.exception_code: 0xc000001d exception.offset: 1706199 exception.address: 0x5a08d7 registers.esp: 2686816 registers.edi: 10032846 registers.eax: 10032846 registers.ebp: 4286925130 registers.edx: 2130566132 registers.ebx: 9043968 registers.esi: 7340452 registers.ecx: 382533632	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 1+0x1a206b @ 0x5a206b exception.instruction_r: 0f 0b eb 03 30 a3 f5 0f 0b eb 05 13 92 d7 cf 85 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x7111aa registers.esp: 2686452 registers.edi: 10082934 registers.eax: 0 registers.ebp: 2686768 registers.edx: 5891587 registers.ebx: 7340452 registers.esi: 4286974681 registers.ecx: 235	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x772f6ab9 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x772f6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73f3482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x772c0143 1+0x1a206b @ 0x5a206b exception.instruction_r: f7 f0 eb 03 d3 32 38 eb 04 13 af 45 92 eb 02 c0 exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x71133b registers.esp: 2684660 registers.edi: 0 registers.eax: 0 registers.ebp: 2684676 registers.edx: 5891587 registers.ebx: 7410380 registers.esi: 0 registers.ecx: 2685328	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x7122a5 0x712152 0x711af1 0x711174 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: f7 f0 eb 04 69 8e 87 d3 eb 1b eb 04 86 8c 75 ca exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x70983f registers.esp: 2685736 registers.edi: 10083834 registers.eax: 0 registers.ebp: 2686096 registers.edx: 0 registers.ebx: 7340452 registers.esi: 7378846 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x712316 0x712152 0x711af1 0x711174 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: 0f 0b 0f 0b eb 04 c7 cb 45 55 eb 02 82 33 f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x70a4eb registers.esp: 2685736 registers.edi: 10083834 registers.eax: 0 registers.ebp: 2686096 registers.edx: 7382104 registers.ebx: 7340452 registers.esi: 7382104 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x71233c 0x711da2 0x711b34 0x711174 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: f7 f0 eb 04 69 8e 87 d3 eb 1b eb 04 86 8c 75 ca exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x70983f registers.esp: 2685432 registers.edi: 2685966 registers.eax: 0 registers.ebp: 2685792 registers.edx: 2685580 registers.ebx: 7340452 registers.esi: 7378846 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x71244f 0x711da2 0x711b34 0x711174 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: 0f 0b 0f 0b eb 04 c7 cb 45 55 eb 02 82 33 f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x70a4eb registers.esp: 2685432 registers.edi: 2685966 registers.eax: 0 registers.ebp: 2685792 registers.edx: 7382104 registers.ebx: 7340452 registers.esi: 7382104 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x71233c 0x711d02 0x711b96 0x711174 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: f7 f0 eb 04 69 8e 87 d3 eb 1b eb 04 86 8c 75 ca exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x70983f registers.esp: 2685428 registers.edi: 2685930 registers.eax: 0 registers.ebp: 2685788 registers.edx: 0 registers.ebx: 7340452 registers.esi: 7378846 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x71244f 0x711d02 0x711b96 0x711174 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: 0f 0b 0f 0b eb 04 c7 cb 45 55 eb 02 82 33 f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x70a4eb registers.esp: 2685428 registers.edi: 2685930 registers.eax: 0 registers.ebp: 2685788 registers.edx: 7382104 registers.ebx: 7340452 registers.esi: 7382104 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x71275c 1+0x1a206b @ 0x5a206b exception.instruction_r: f7 f0 eb 04 69 8e 87 d3 eb 1b eb 04 86 8c 75 ca exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x70983f registers.esp: 2686092 registers.edi: 10089518 registers.eax: 0 registers.ebp: 2686452 registers.edx: 0 registers.ebx: 7340452 registers.esi: 7378846 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x71354f 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: f7 f0 eb 04 69 8e 87 d3 eb 1b eb 04 86 8c 75 ca exception.instruction: div eax exception.exception_code: 0xc0000094 exception.symbol: exception.address: 0x70983f registers.esp: 2686008 registers.edi: 10089518 registers.eax: 0 registers.ebp: 2686368 registers.edx: 7415644 registers.ebx: 7340452 registers.esi: 7378846 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x7138e5 0x712e1f 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: 0f 0b 0f 0b eb 04 c7 cb 45 55 eb 02 82 33 f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x70a4eb registers.esp: 2685600 registers.edi: 10089518 registers.eax: 0 registers.ebp: 2685960 registers.edx: 7382104 registers.ebx: 7340452 registers.esi: 7382104 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: 0x712f91 1+0x1b33f4 @ 0x5b33f4 1+0x1a206b @ 0x5a206b exception.instruction_r: 0f 0b 0f 0b eb 04 c7 cb 45 55 eb 02 82 33 f7 f0 exception.instruction: ud2 exception.exception_code: 0xc000001d exception.symbol: exception.address: 0x70a4eb registers.esp: 2686012 registers.edi: 10089518 registers.eax: 0 registers.ebp: 2686372 registers.edx: 7382104 registers.ebx: 7340452 registers.esi: 7382104 registers.ecx: 7340452	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: exception.instruction_r: f7 f9 eb 02 36 76 90 eb 03 64 8d 6f e9 05 00 00 exception.symbol: 1+0x1a2270 exception.instruction: idiv ecx exception.module: 1.exe exception.exception_code: 0xc0000094 exception.offset: 1712752 exception.address: 0x5a2270 registers.esp: 2686788 registers.edi: 10032854 registers.eax: 3310783324 registers.ebp: 4286928842 registers.edx: 10118494 registers.ebx: 9043968 registers.esi: 7340452 registers.ecx: 0	1
__exception__ Jan. 19, 2022, 11:31 a.m.	stacktrace: exception.instruction_r: 8b 0a eb 03 81 46 8f e9 5e ff ff ff eb 02 05 de exception.symbol: 1+0x1a1d11 exception.instruction: mov ecx, dword ptr [edx] exception.module: 1.exe exception.exception_code: 0xc0000005 exception.offset: 1711377 exception.address: 0x5a1d11 registers.esp: 2686788 registers.edi: 10032854 registers.eax: 1 registers.ebp: 4286928842 registers.edx: 0 registers.ebx: 9043968 registers.esi: 7340452 registers.ecx: 382533632	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.163.204.22/sandysysmanch1
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.163.204.212/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.163.204.212//l/f/iG04cH4BZ2GIX1a3Foik/73eee44e44919848c055e1526d06276c45f92e2e
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.163.204.212//l/f/iG04cH4BZ2GIX1a3Foik/3f73650a26f7f66bc40c1ae9d176ca9cbf7fee6b

Performs some HTTP requests (4 events)

request	GET http://185.163.204.22/sandysysmanch1
request	POST http://185.163.204.212/
request	GET http://185.163.204.212//l/f/iG04cH4BZ2GIX1a3Foik/73eee44e44919848c055e1526d06276c45f92e2e
request	GET http://185.163.204.212//l/f/iG04cH4BZ2GIX1a3Foik/3f73650a26f7f66bc40c1ae9d176ca9cbf7fee6b

Sends data using the HTTP POST Method (1 event)

request

POST http://185.163.204.212/

Allocates read-write-execute memory (usually to unpack itself) (46 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 region_size: 1077248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 region_size: 241664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1454080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00564000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00566000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00568000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00569000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00568000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00563000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00563000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00563000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 region_size: 602112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00484000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 442368 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0099d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009bd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00561000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Jan. 19, 2022, 11:31 a.m.	number_of_free_clusters: 2495028 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Jan. 19, 2022, 11:31 a.m.	number_of_free_clusters: 2495028 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Creates executable files on the filesystem (50 out of 59 events)

file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ldif60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\mozMapi32_InUse.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\mozMapi32.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nss3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-namedpipe-l1-1-0.dll

Creates a suspicious process (1 event)

cmdline

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\1.exe"

Drops an executable to the user AppData folder (50 out of 58 events)

file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1.exe
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\breakpadinjector.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\prldap60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nss3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\mozglue.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\softokn3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\vcruntime140.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\MapiProxy.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\IA2Marshal.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\msvcp140.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\qipcap.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sqlite3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\freebl3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ucrtbase.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\libEGL.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nssckbi.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\nssdbm3.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\lgpllibs.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\ldap60.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\LocalLow\sG8rM8v\api-ms-win-crt-multibyte-l1-1-0.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Jan. 19, 2022, 11:31 a.m.	thread_identifier: 2580 thread_handle: 0x000003ec process_identifier: 2576 current_directory: filepath: track: 1 command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\1.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003f0	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 19, 2022, 11:31 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00740000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002bd16', u'virtual_address': u'0x0016e000', u'entropy': 7.493141196655379, u'name': u'.rsrc', u'virtual_size': u'0x0002c220'}

entropy

7.49314119666

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0011df4b', u'virtual_address': u'0x0019c000', u'entropy': 7.999831454397392, u'name': u'', u'virtual_size': u'0x0011f000'}

entropy

7.9998314544

description

A section with a high entropy has been found

entropy

0.998864148122

description

Overall entropy of this PE file is high

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Jan. 19, 2022, 11:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x000002ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\1.exe"

Communicates with host for which no DNS query was performed (4 events)

host	162.159.137.85
host	185.163.204.212
host	185.163.204.22
host	193.122.6.168

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Jan. 19, 2022, 11:31 a.m.	key_handle: 0x000002ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\Profiles\hzkyl8yo.default
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password2
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\POP3 User

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.7fa457acce5d5487
McAfee	Artemis!7FA457ACCE5D
Cylance	Unsafe
Cybereason	malicious.cce5d5
BitDefenderTheta	Gen:NN.ZexaF.34160.svX@aibUtBg
ESET-NOD32	a variant of Win32/Packed.Obsidium.EV
Paloalto	generic.ml
Kaspersky	VHO:Trojan-PSW.Win32.Racealer.nfz
Avast	Win32:Malware-gen
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Win32.Obsidium
Kingsoft	Win32.Heur.KVMH015.a.(kcloud)
Microsoft	Exploit:Win32/ShellCode!ml
GData	Win32.Trojan-Stealer.Racealer.XRZGSX
AhnLab-V3	Malware/Win.Generic.C4920946
VBA32	BScope.Trojan.EyeStye
Malwarebytes	Trojan.MalPack
APEX	Malicious
Rising	Exploit.Shellcode!8.2A (TFE:dGZlOgEkpPUR9N3wSA)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_73%
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_100% (W)

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All