Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2023, 7:43 a.m.	Nov. 1, 2023, 7:45 a.m.

Size	2.2MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`450783b6304d896d217b0a816a3f4853`
SHA256	`39c3cb4761ba5fbb081b564c592a3f01c461b72277fe6baaff24907208eae99f`
CRC32	`C5EDBE7C`
ssdeep	`49152:CD96aQpIPAMnqnQIQ0z4DMRu29DMDd22:Cx6aeI4MnVIJtMZ`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format

700.exe "C:\Users\test22\AppData\Local\Temp\700.exe"
2548
- cmd.exe cmd /k cmd < Monetary & exit
  2696
  - cmd.exe cmd
    2740
    - tasklist.exe tasklist
      2784
    - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      2820
    - tasklist.exe tasklist
      2952
    - findstr.exe findstr /I "wrsa.exe"
      2988
    - cmd.exe cmd /c mkdir 4422
      3064
    - cmd.exe cmd /c copy /b Goal + Lexus + Falls + Rfc 4422\Pros.pif
      1964
    - cmd.exe cmd /c copy /b United + Oo + Coupons + Scheme + Rural 4422\B
      2120
    - Pros.pif 4422\Pros.pif 4422\B
      2136
    - PING.EXE ping -n 5 localhost
      148
Pros.pif C:\Users\test22\AppData\Local\Temp\54429\4422\Pros.pif
2852
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 HR" /sc HOURLY /rl HIGHEST
  2296
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 LG" /sc ONLOGON /rl HIGHEST
  1332
- IEUpdater116.exe "C:\ProgramData\IEUpdater116\IEUpdater116.exe"
  2000
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
KXKQBfogIOh.KXKQBfogIOh
ipinfo.io	A 34.117.59.81	34.117.59.81
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.75.166	Active	Moloch
34.117.59.81	Active	Moloch
91.103.253.146	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49177 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 91.103.253.146:50500 -> 192.168.56.101:49176	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 91.103.253.146:50500 -> 192.168.56.101:49176	2046267	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 91.103.253.146:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 91.103.253.146:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49179 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (17 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 1, 2023, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 1, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 1, 2023, 7:45 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2023, 7:43 a.m.			0	0
IsDebuggerPresent Nov. 1, 2023, 7:45 a.m.			0	0

Command line console output was observed (50 out of 404 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: Set xhYfSKyrYzRqzGwQVELbviOrKvdaTfRygJLpNgVzbJSiO=i console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: PyKffdPajmUFvzN=JCMMKVSrGJsqN console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'PyKffdPajmUFvzN' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: HfVoBjoqCOndnKS=nqJnpEwwDUhGIGYPEWSFJhS console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'HfVoBjoqCOndnKS' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: wIqYgzvokXlsdguehUEH=BsVQJLBRjYlipbAErNlbtcLvGndQP console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'wIqYgzvokXlsdguehUEH' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: PJlAmstiEHVdYYZpu=FbpuxlVuGnplcLwUpBWJXpmWoC console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'PJlAmstiEHVdYYZpu' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: ObMbbamlaoJfqFzLGYxj=gtPbjbTvYhXRI console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'ObMbbamlaoJfqFzLGYxj' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: JTwMSVAJLAkW=EnTXOdamzXZ console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'JTwMSVAJLAkW' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: UGOzVLbanKREjB=JEafkdxgYtfpBdHd console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'UGOzVLbanKREjB' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: eBYfLfPONDFUGfLjZIUqHNUAaQfG=WeRzUCKDwYgCAbMOzsPD console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'eBYfLfPONDFUGfLjZIUqHNUAaQfG' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: BHMffgHbXVqpjRBOAMMwJYKGnufi=YnmeFxxttFhryregzhGkqTFr console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'BHMffgHbXVqpjRBOAMMwJYKGnufi' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: Set hDXuRoZmMZvBuHbuJvunXDUHatSJWKtTvAaQvYhb=a console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: ztFMjGptsbnEEKIdOMfdD=UDtGfGKLoJ console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'ztFMjGptsbnEEKIdOMfdD' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: zlQwFSjmRzHxS=HiulAiYqsleIGdDxFgPxlmSgpTeQ console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'zlQwFSjmRzHxS' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: HjojKHnDAIBkzSFZWjVWbNzF=LofRwGtofJXTvVJtQyG console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'HjojKHnDAIBkzSFZWjVWbNzF' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: pRHhgjHiTgUTCOZ=pLmwvetoIyAdkRGINsg console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'pRHhgjHiTgUTCOZ' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: AeDOZXgqPtdIWlVtFERuMnEoMsV=HkylmtYuoK console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: 'AeDOZXgqPtdIWlVtFERuMnEoMsV' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\54429> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 1, 2023, 7:43 a.m.	buffer: nOrzDPSzwV=roAoiebxeIejzEYyoSkO console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2023, 7:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 1, 2023, 7:43 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:43 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2023, 7:43 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:44 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2023, 7:44 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 1, 2023, 7:45 a.m.	process_identifier: 2000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:45 a.m.	process_identifier: 2000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2023, 7:45 a.m.	process_identifier: 2000 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (12 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 1, 2023, 7:44 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 2286 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\54429\4422\Pros.pif
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OperaConnect116.lnk

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\Links\Desktop.lnk
file	C:\Users\test22\Links\RecentPlaces.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OperaConnect116.lnk
file	C:\Users\test22\Links\Downloads.lnk

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\54429\4422\Pros.pif

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\700.exe
file	C:\Users\test22\AppData\Local\Temp\54429\4422\Pros.pif
file	C:\Users\test22\AppData\Local\Temp\54429\Goal

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Nov. 1, 2023, 7:44 a.m.	thread_identifier: 2300 thread_handle: 0x000003d8 process_identifier: 2296 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003cc	1	1	0
CreateProcessInternalW Nov. 1, 2023, 7:45 a.m.	thread_identifier: 2428 thread_handle: 0x00000504 process_identifier: 1332 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: mobsync.exe process_identifier: 2284	1	1
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: taskhost.exe process_identifier: 2356	1	1
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: 700.exe process_identifier: 2548	1	1
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: conhost.exe process_identifier: 2592	1	1
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: cmd.exe process_identifier: 2696	1	1
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: cmd.exe process_identifier: 2740	1	1
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: WmiPrvSE.exe process_identifier: 2912	1	1
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: Pros.pif process_identifier: 2136	1	1
Process32NextW Nov. 1, 2023, 7:43 a.m.	snapshot_handle: 0x0000013c process_name: PING.EXE process_identifier: 148	1	1
Process32NextW Nov. 1, 2023, 7:44 a.m.	snapshot_handle: 0x00000408 process_name: taskhost.exe process_identifier: 2672	1	1
Process32NextW Nov. 1, 2023, 7:44 a.m.	snapshot_handle: 0x00000408 process_name: Pros.pif process_identifier: 2852	1	1
Process32NextW Nov. 1, 2023, 7:44 a.m.	snapshot_handle: 0x00000408 process_name: svchost.exe process_identifier: 3032	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 1, 2023, 7:45 a.m.	flags: 0 family: 2		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001c0a00', u'virtual_address': u'0x0007c000', u'entropy': 7.235642877772091, u'name': u'.rsrc', u'virtual_size': u'0x001c0a00'}

entropy

7.23564287777

description

A section with a high entropy has been found

entropy

0.795258143142

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 1, 2023, 7:43 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 1, 2023, 7:43 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.winimage.com/zLibDll

Yara rule detected in process memory (18 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000408 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000418 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000418 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000418 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000418 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000041c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000414 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Nov. 1, 2023, 7:44 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000420 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 1, 2023, 7:43 a.m.	status_code: 0x00000000 process_identifier: 2548 process_handle: 0x0000013c		0	0
NtTerminateProcess Nov. 1, 2023, 7:43 a.m.	status_code: 0x00000000 process_identifier: 2548 process_handle: 0x0000013c	1	0	0

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 HR" /sc HOURLY /rl HIGHEST
cmdline	tasklist
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 LG" /sc ONLOGON /rl HIGHEST
cmdline	cmd /c mkdir 4422
cmdline	ping -n 5 localhost

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 8ca6be3a347cc6740baa4b0e34628f7cc11e6a71
buffer	Buffer with sha1: ea4f9433617e72e1ca0310404a67e4244f703179

Communicates with host for which no DNS query was performed (1 event)

host

91.103.253.146

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 1, 2023, 7:44 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1335296 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 process_handle: 0x00000224	1	0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LegalHelper116	reg_value	C:\Users\test22\AppData\Local\LegalHelper116\LegalHelper116.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OperaConnect116.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 manipulating memory of non-child process 2852
NtAllocateVirtualMemory Nov. 1, 2023, 7:44 a.m.	process_identifier: 2852 region_size: 1335296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x005b0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0	0
NtProtectVirtualMemory Nov. 1, 2023, 7:44 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1335296 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 process_handle: 0x00000224	1	0	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000418 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000418 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x0000041c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000414 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Nov. 1, 2023, 7:44 a.m.	key_handle: 0x00000420 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 called NtSetContextThread to modify thread in remote process 2852
NtSetContextThread Nov. 1, 2023, 7:44 a.m.	registers.eip: 1995571652 registers.esp: 5962712 registers.edi: 0 registers.eax: 6725707 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2852	1	0	0

Expresses interest in specific running processes (4 events)

process	pros.pif
process	cmd.exe
process	700.exe
process: potential process injection target	explorer.exe

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 resumed a thread in remote process 2852
NtResumeThread Nov. 1, 2023, 7:44 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2852	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 LG" /sc ONLOGON /rl HIGHEST

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2700 thread_handle: 0x0000010c process_identifier: 2696 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: track: 1 command_line: cmd /k cmd < Monetary & exit filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000110	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2744 thread_handle: 0x00000088 process_identifier: 2740 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2788 thread_handle: 0x00000094 process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000009c	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2824 thread_handle: 0x00000094 process_identifier: 2820 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2956 thread_handle: 0x0000009c process_identifier: 2952 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2992 thread_handle: 0x0000009c process_identifier: 2988 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "wrsa.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 3068 thread_handle: 0x000000a8 process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c mkdir 4422 filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 908 thread_handle: 0x00000090 process_identifier: 1964 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Goal + Lexus + Falls + Rfc 4422\Pros.pif filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2124 thread_handle: 0x000000a8 process_identifier: 2120 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b United + Oo + Coupons + Scheme + Rural 4422\B filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2064 thread_handle: 0x00000090 process_identifier: 2136 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Users\test22\AppData\Local\Temp\54429\4422\Pros.pif track: 1 command_line: 4422\Pros.pif 4422\B filepath_r: C:\Users\test22\AppData\Local\Temp\54429\4422\Pros.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
CreateProcessInternalW Nov. 1, 2023, 7:43 a.m.	thread_identifier: 2192 thread_handle: 0x000000a8 process_identifier: 148 current_directory: C:\Users\test22\AppData\Local\Temp\54429 filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 5 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Nov. 1, 2023, 7:44 a.m.	thread_identifier: 2848 thread_handle: 0x00000220 process_identifier: 2852 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\54429\4422\Pros.pif filepath_r: stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000224	1	1
NtGetContextThread Nov. 1, 2023, 7:44 a.m.	thread_handle: 0x00000220	1	0
NtAllocateVirtualMemory Nov. 1, 2023, 7:44 a.m.	process_identifier: 2852 region_size: 1335296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x005b0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0
NtSetContextThread Nov. 1, 2023, 7:44 a.m.	registers.eip: 1995571652 registers.esp: 5962712 registers.edi: 0 registers.eax: 6725707 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2852	1	0
NtResumeThread Nov. 1, 2023, 7:44 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2852	1	0
NtResumeThread Nov. 1, 2023, 7:44 a.m.	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2852	1	0
CreateProcessInternalW Nov. 1, 2023, 7:44 a.m.	thread_identifier: 2300 thread_handle: 0x000003d8 process_identifier: 2296 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000003cc	1	1
CreateProcessInternalW Nov. 1, 2023, 7:45 a.m.	thread_identifier: 2428 thread_handle: 0x00000504 process_identifier: 1332 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\IEUpdater116\IEUpdater116.exe" /tn "IEUpdater116 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Nov. 1, 2023, 7:45 a.m.	thread_identifier: 2452 thread_handle: 0x00000574 process_identifier: 2000 current_directory: C:\Users\test22\AppData\Local\Temp\tempAVSbahrIBKLh1bJ filepath: C:\ProgramData\IEUpdater116\IEUpdater116.exe track: 1 command_line: "C:\ProgramData\IEUpdater116\IEUpdater116.exe" filepath_r: C:\ProgramData\IEUpdater116\IEUpdater116.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000057c	1	1
NtResumeThread Nov. 1, 2023, 7:45 a.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2000	1	0

700.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All