Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 26, 2022, 5:23 p.m.	Sept. 26, 2022, 5:25 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`1451ed9b5629e22afbde901d932f4bfc`
SHA256	`cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a`
CRC32	`69F141B6`
ssdeep	`24576:9Ux3pCeQifiWVpXVE/aWumZxv/yE8gLfdryuZepwHOglrSrorrfQ8:6hpDf6WTXS/gmZ1KrgL1NNHOglrSrorV`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

sheet.exe "C:\Users\test22\AppData\Local\Temp\sheet.exe"
2312
- JUYBRB.exe "C:\Users\test22\AppData\Local\Temp\JUYBRB.exe"
  2404
  - wscript.exe WSCript C:\Users\test22\AppData\Local\Temp\LZTIXH.vbs
    2308
  - cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn LZTIXH.exe /tr C:\Users\test22\AppData\Roaming\Windata\notepad.exe /sc minute /mo 1
    2212
    - schtasks.exe schtasks /create /tn LZTIXH.exe /tr C:\Users\test22\AppData\Roaming\Windata\notepad.exe /sc minute /mo 1
      2484
- Client.exe "C:\Users\test22\AppData\Local\Temp\Client.exe"
  2488
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\sheet.js"
  2448
  - wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Local\Temp\sheet.js" /elevated
    2668
- build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
  2532
- EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" /dde
  2708

Name	Response	Post-Analysis Lookup
sheet.duckdns.org	A 159.223.57.212	159.223.57.212
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
159.223.57.212	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:51935 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:60880 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:63183 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.103:49172 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 3061 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 26, 2022, 5:23 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 26, 2022, 5:23 p.m.			0	0
IsDebuggerPresent Sept. 26, 2022, 5:23 p.m.			0	0
IsDebuggerPresent Sept. 26, 2022, 5:23 p.m.			0	0
IsDebuggerPresent Sept. 26, 2022, 5:23 p.m.			0	0
IsDebuggerPresent Sept. 26, 2022, 5:23 p.m.			0	0
IsDebuggerPresent Sept. 26, 2022, 5:23 p.m.			0	0
IsDebuggerPresent Sept. 26, 2022, 5:23 p.m.			0	0
IsDebuggerPresent Sept. 26, 2022, 5:23 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 26, 2022, 5:23 p.m.	buffer: SUCCESS: The scheduled task "LZTIXH.exe" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 26, 2022, 5:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00483ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 26, 2022, 5:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00483ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 26, 2022, 5:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00483b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Sept. 26, 2022, 5:23 p.m.	crypto_handle: 0x065caa90 algorithm_identifier: 0x00006610 () flags: 1 key: f \kdØgÑ³ ÅæåÏ]¥wWªDdmê-¿vé provider_handle: 0x06649ad0	1	1
CryptExportKey Sept. 26, 2022, 5:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065caa90 flags: 0 crypto_export_handle: 0x065cacd0 blob_type: 1	1	1
CryptExportKey Sept. 26, 2022, 5:23 p.m.	buffer: f¤/(ÏçLÓfµ`&ó¼âuM .+Y]¾vhü7ÅqÍtú&Qæ}ÚªÀ:l6ý¯.\1Å«-½@ç4¾êËhòñªyp$3.Êx%Ñ1Î~uRÊ?µyp?wM}\ÈOüw#Ï* ¾0°Y~ç÷bUÚói×ëóÖ·°6ù³=?*ôÂ:p¦Á×«#2ÂXg+IÜ®£H 2°LZp®QÊ!â+Pd,:§o3°ë¬{/:Ñª ¢ã¤ôD\| V©UþL[ußhYQÐTjªîuJÏ.íIoD³ crypto_handle: 0x065caa90 flags: 0 crypto_export_handle: 0x065cacd0 blob_type: 1	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 26, 2022, 5:23 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 26, 2022, 5:23 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a SLClose-0x28c osppc+0x2cb5 @ 0x67382cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x67395629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x67383412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x673929af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6686a648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x6c8f4a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x6c8f4823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x6c1b30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x6c1b2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6b9d2b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6b9d2456 0x35b4f68 _MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6b6f0fda _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6b6f08cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6b6dfa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6b6df808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6b6df7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6b513b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6b5122ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6b6a522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6b6a5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6b6a407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6b6a3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6b6a3f6b MdCallBack12-0x64a760 excel+0x37a4a @ 0x3f7a4a MdCallBack12-0x64de96 excel+0x34314 @ 0x3f4314 MdCallBack12-0x67d476 excel+0x4d34 @ 0x3c4d34 MdCallBack12-0x67d76a excel+0x4a40 @ 0x3c4a40 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 2945196 registers.edi: 2945360 registers.eax: 2945196 registers.ebp: 2945276 registers.edx: 0 registers.ebx: 2946412 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 26, 2022, 5:23 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x67382cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x67395629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x67383412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x673929af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6686a648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x6c8f4a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x6c8f4823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x6c1b30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x6c1b2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6b9d2b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6b9d2456
0x35b4f68
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6b6f0fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6b6f08cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6b6dfa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6b6df808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6b6df7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6b513b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6b5122ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6b6a522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6b6a5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6b6a407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6b6a3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6b6a3f6b
MdCallBack12-0x64a760 excel+0x37a4a @ 0x3f7a4a
MdCallBack12-0x64de96 excel+0x34314 @ 0x3f4314
MdCallBack12-0x67d476 excel+0x4d34 @ 0x3c4d34
MdCallBack12-0x67d76a excel+0x4a40 @ 0x3c4a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 2945196
registers.edi: 2945360
registers.eax: 2945196
registers.ebp: 2945276
registers.edx: 0
registers.ebx: 2946412
registers.esi: 3221549073
registers.ecx: 2147483648

Connects to a Dynamic DNS Domain (1 event)

domain

sheet.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 85 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef324b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000022b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2bb4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9342a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe934e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9343c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9344b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93551000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9342b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93553000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9347c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9344d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (2 events)

description	wscript.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
description	JUYBRB.exe tried to sleep 133 seconds, actually delayed analysis time by 133 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Sept. 26, 2022, 5:23 p.m.	number_of_free_clusters: 2498521 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:23 p.m.	number_of_free_clusters: 2496633 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:23 p.m.	number_of_free_clusters: 2496633 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2498658 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2498146 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2498120 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2498120 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2498120 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2498120 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 1391580 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2497748 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2497747 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:24 p.m.	number_of_free_clusters: 2497747 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:25 p.m.	number_of_free_clusters: 2497747 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:25 p.m.	number_of_free_clusters: 2497304 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:25 p.m.	number_of_free_clusters: 2497305 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:25 p.m.	number_of_free_clusters: 2497305 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:25 p.m.	number_of_free_clusters: 2497305 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Sept. 26, 2022, 5:25 p.m.	number_of_free_clusters: 2497300 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process EXCEL.EXE with pid 2708 crashed
__exception__ Sept. 26, 2022, 5:23 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a SLClose-0x28c osppc+0x2cb5 @ 0x67382cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x67395629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x67383412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x673929af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6686a648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x6c8f4a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x6c8f4823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x6c1b30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x6c1b2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6b9d2b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6b9d2456 0x35b4f68 _MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6b6f0fda _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6b6f08cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6b6dfa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6b6df808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6b6df7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6b513b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6b5122ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6b6a522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6b6a5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6b6a407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6b6a3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6b6a3f6b MdCallBack12-0x64a760 excel+0x37a4a @ 0x3f7a4a MdCallBack12-0x64de96 excel+0x34314 @ 0x3f4314 MdCallBack12-0x67d476 excel+0x4d34 @ 0x3c4d34 MdCallBack12-0x67d76a excel+0x4a40 @ 0x3c4a40 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 2945196 registers.edi: 2945360 registers.eax: 2945196 registers.ebp: 2945276 registers.edx: 0 registers.ebx: 2946412 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process EXCEL.EXE with pid 2708 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 26, 2022, 5:23 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x67382cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x67395629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x67383412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x673929af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6686a648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x6c8f4a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x6c8f4823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x6c1b30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x6c1b2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6b9d2b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6b9d2456
0x35b4f68
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6b6f0fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6b6f08cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6b6dfa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6b6df808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6b6df7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6b513b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6b5122ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6b6a522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6b6a5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6b6a407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6b6a3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6b6a3f6b
MdCallBack12-0x64a760 excel+0x37a4a @ 0x3f7a4a
MdCallBack12-0x64de96 excel+0x34314 @ 0x3f4314
MdCallBack12-0x67d476 excel+0x4d34 @ 0x3c4d34
MdCallBack12-0x67d76a excel+0x4a40 @ 0x3c4a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

Looks up the external IP address (1 event)

domain

ip-api.com

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\budget.xlsx
file	C:\Users\test22\AppData\Local\Temp\~$budget.xlsx

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\LZTIXH.vbs
file	C:\Users\test22\AppData\Local\Temp\JUYBRB.exe
file	C:\Users\test22\AppData\Local\Temp\build.exe
file	C:\Users\test22\AppData\Local\Temp\sheet.js
file	C:\Users\test22\AppData\Roaming\Windata\notepad.exe
file	C:\Users\test22\AppData\Local\Temp\Client.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 26, 2022, 5:23 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000498 filepath: C:\Users\test22\AppData\Local\Temp\~$budget.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$budget.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (2 events)

cmdline	schtasks /create /tn LZTIXH.exe /tr C:\Users\test22\AppData\Roaming\Windata\notepad.exe /sc minute /mo 1
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn LZTIXH.exe /tr C:\Users\test22\AppData\Roaming\Windata\notepad.exe /sc minute /mo 1

Drops a binary and executes it (5 events)

file	C:\Users\test22\AppData\Local\Temp\JUYBRB.exe
file	C:\Users\test22\AppData\Local\Temp\sheet.js
file	C:\Users\test22\AppData\Local\Temp\Client.exe
file	C:\Users\test22\AppData\Local\Temp\build.exe
file	C:\Users\test22\AppData\Local\Temp\budget.xlsx

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\JUYBRB.exe
file	C:\Users\test22\AppData\Local\Temp\Client.exe
file	C:\Users\test22\AppData\Local\Temp\build.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (48 events)

Time & API	Arguments	Status	Return
Process32FirstW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: System process_identifier: 4	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: csrss.exe process_identifier: 312	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: wininit.exe process_identifier: 340	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: winlogon.exe process_identifier: 404	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: services.exe process_identifier: 440	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 576	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 720	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 844	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: audiodg.exe process_identifier: 924	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 348	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: spoolsv.exe process_identifier: 1064	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: taskhost.exe process_identifier: 1132	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 1332	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: svchost.exe process_identifier: 1728	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: pw.exe process_identifier: 1860	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: SearchIndexer.exe process_identifier: 1904	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: SearchProtocolHost.exe process_identifier: 744	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: SearchFilterHost.exe process_identifier: 1984	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: SearchProtocolHost.exe process_identifier: 1876	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: mobsync.exe process_identifier: 2024	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: pw.exe process_identifier: 2072	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: taskhost.exe process_identifier: 2120	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: sdclt.exe process_identifier: 2128	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: cmd.exe process_identifier: 2240	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: conhost.exe process_identifier: 2248	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: pw.exe process_identifier: 2328	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: JUYBRB.exe process_identifier: 2404	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: Client.exe process_identifier: 2488	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: build.exe process_identifier: 2532	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: conhost.exe process_identifier: 2584	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: wscript.exe process_identifier: 2668	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: EXCEL.EXE process_identifier: 2708	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: WmiPrvSE.exe process_identifier: 2860	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: WmiPrvSE.exe process_identifier: 2924	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: OSPPSVC.EXE process_identifier: 3048	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x000002c0 process_name: cmd.exe process_identifier: 2212	1	1
Process32NextW Sept. 26, 2022, 5:23 p.m.	snapshot_handle: 0x00000288 process_name: wscript.exe process_identifier: 2308	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 26, 2022, 5:23 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 26, 2022, 5:23 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0015fe00', u'virtual_address': u'0x00002000', u'entropy': 7.8622308841081, u'name': u'.rdata', u'virtual_size': u'0x0015fd64'}

entropy

7.86223088411

description

A section with a high entropy has been found

entropy

0.997873094647

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

wscript.exe

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /tn LZTIXH.exe /tr C:\Users\test22\AppData\Roaming\Windata\notepad.exe /sc minute /mo 1
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn LZTIXH.exe /tr C:\Users\test22\AppData\Roaming\Windata\notepad.exe /sc minute /mo 1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (42 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Sept. 26, 2022, 5:23 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
InternetCrackUrlW Sept. 26, 2022, 5:23 p.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:23 p.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA Sept. 26, 2022, 5:23 p.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile Sept. 26, 2022, 5:23 p.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Nowon-gu","zip":"019","lat":37.6559,"lon":127.0767,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW Sept. 26, 2022, 5:23 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:23 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:23 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:23 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:23 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:25 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:25 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:25 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:25 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:25 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:25 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:25 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:25 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:25 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:25 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Sept. 26, 2022, 5:25 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:25 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Installs itself for autorun at Windows startup (43 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LZTIXH	reg_value	"C:\Users\test22\AppData\Roaming\Windata\notepad.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheet	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js"
cmdline	schtasks /create /tn LZTIXH.exe /tr C:\Users\test22\AppData\Roaming\Windata\notepad.exe /sc minute /mo 1
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn LZTIXH.exe /tr C:\Users\test22\AppData\Roaming\Windata\notepad.exe /sc minute /mo 1

Executes one or more WMI queries (5 events)

wmi	select * from antivirusproduct
wmi	Select * from AntiVirusProduct
wmi	select * from win32_operatingsystem
wmi	Select * from Win32_Process where name like 'JUYBRB.exe'
wmi	select * from win32_logicaldisk

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Clients\Mail

wscript.exe-based dropper (JScript, VBS) (20 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 63 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Sept. 26, 2022, 5:23 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
InternetCrackUrlW Sept. 26, 2022, 5:23 p.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:23 p.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
send Sept. 26, 2022, 5:23 p.m.	buffer: ! socket: 1000 sent: 1	1	1
send Sept. 26, 2022, 5:23 p.m.	buffer: GET /json/ HTTP/1.1 Accept: / Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive socket: 1104 sent: 259	1	259
send Sept. 26, 2022, 5:23 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlA Sept. 26, 2022, 5:23 p.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:23 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:23 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:23 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:23 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:23 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:23 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:23 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:23 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:24 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:24 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:25 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:25 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Sept. 26, 2022, 5:25 p.m.	buffer: ! socket: 1000 sent: 1	1	1
InternetCrackUrlW Sept. 26, 2022, 5:25 p.m.	url: http://sheet.duckdns.org:9847/is-ready flags: 0	1	1
HttpOpenRequestW Sept. 26, 2022, 5:25 p.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\sheet.js" /elevated
parent_process	wscript.exe				martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Local\Temp\sheet.js" /elevated

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2448 resumed a thread in remote process 2668
NtResumeThread Sept. 26, 2022, 5:23 p.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 2668	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetect.malware1
Lionic	Heuristic.File.Generic.00x1!p
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Lazy.228405
McAfee	GenericRXUD-VW!1451ED9B5629
Cylance	Unsafe
Zillya	Trojan.Stealer.Win32.27688
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0059450a1 )
Alibaba	Worm:MSIL/RedLine.a1b55ac6
Cybereason	malicious.b5629e
Arcabit	Trojan.Lazy.D37C35
Cyren	W32/ABTrojan.KVQS-9257
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDropper.Agent.SRP
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Spy.Win32.Stealer.cokq
BitDefender	Gen:Variant.Lazy.228405
NANO-Antivirus	Trojan.Win32.Stealer.jsngmc
ViRobot	Trojan.Win32.Z.Lazy.1445376
Avast	Win32:Evo-gen [Trj]
Tencent	Win32.Trojan-Spy.Stealer.Mcnw
Ad-Aware	Gen:Variant.Lazy.228405
Emsisoft	Gen:Variant.Lazy.228405 (B)
DrWeb	Trojan.Siggen18.48777
VIPRE	Gen:Variant.Lazy.228405
TrendMicro	TrojanSpy.Win32.REDLINE.YXCIMZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1451ed9b5629e22a
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Tnega
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/Generic.ASMalwS.7A29
Microsoft	RemoteAccess:MSIL/AsyncRAT.L!MTB
ZoneAlarm	Trojan-Spy.Win32.Stealer.cokq
GData	Win32.Trojan.PSE.10AFFS0
Google	Detected
AhnLab-V3	Malware/Win.generic.C5101305
Acronis	suspicious
VBA32	BScope.Trojan.Nitol
ALYac	Gen:Variant.Lazy.228405
MAX	malware (ai score=84)
Malwarebytes	Trojan.Dropper
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXCIMZ
Rising	Backdoor.DcRat!8.129D9 (TFE:1:BNER4NzZWDL)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.1728101.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (39 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49212
dead_host	192.168.56.103:49217
dead_host	192.168.56.103:49205
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49208
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49194
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49209
dead_host	192.168.56.103:49206
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49199
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49202
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49214
dead_host	192.168.56.103:49207
dead_host	159.223.57.212:8294
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49210
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49189
dead_host	159.223.57.212:9847
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49215
dead_host	192.168.56.103:49216
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49204
dead_host	192.168.56.103:49197
dead_host	192.168.56.103:49211
dead_host	192.168.56.103:49200

sheet.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All