Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 27, 2023, 7:42 a.m.	Dec. 27, 2023, 7:46 a.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`25be69edbd38d09faf01adfe59e39da2`
SHA256	`5edd78811dca8a2a0b11ac95542ad771058688eadc2a43e59a4f385f01524fbe`
CRC32	`2E4207D6`
ssdeep	`49152:3zCo1nSejp7KVR2sMKhnH/0oeYueTCxn0aO2xPsfC:Wo1nSekKDi0kNTK0aO2xPI`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file UPX_Zero - UPX packed file

foxi.exe "C:\Users\test22\AppData\Local\Temp\foxi.exe"
2548
- zP1Tf60.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zP1Tf60.exe
  2600
  - 4Za415Il.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\4Za415Il.exe
    2668
    - cmd.exe "cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      2808
      - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        2884
    - cmd.exe "cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      2932
      - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        2996
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 23.32.56.72 A 23.32.56.80 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.27
ipinfo.io	A 34.117.186.192	34.117.186.192

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.233.132.62	Active	Moloch
23.32.56.72	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.233.132.62:50500 -> 192.168.56.101:49171	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49171	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49175 -> 34.117.186.192:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.186.192:443 -> 192.168.56.101:49175	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49171 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49175 34.117.186.192:443	C=US, O=Let's Encrypt, CN=R3	CN=ipinfo.io	17:1f:d0:ef:80:aa:6c:99:b1:c4:56:90:ac:2c:8e:3d:e2:0f:6c:c2

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameA Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 27, 2023, 7:42 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 27, 2023, 7:42 a.m.			0	0
IsDebuggerPresent Dec. 27, 2023, 7:42 a.m.			0	0
IsDebuggerPresent Dec. 27, 2023, 7:42 a.m.			0	0
IsDebuggerPresent Dec. 27, 2023, 7:42 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (14 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00706c60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00706ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00706ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 27, 2023, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e8500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 27, 2023, 7:42 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (30 events)

Time & API	Arguments	Status
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x26452a @ 0x15f452a 4za415il+0x263de9 @ 0x15f3de9 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258428 registers.edi: 24006896 registers.eax: 0 registers.ebp: 4258456 registers.edx: 2 registers.ebx: 2767992762 registers.esi: 21364736 registers.ecx: 46283032	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x26452a @ 0x15f452a 4za415il+0x263de9 @ 0x15f3de9 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258428 registers.edi: 4258428 registers.eax: 0 registers.ebp: 4258456 registers.edx: 2 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258464	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x26452a @ 0x15f452a 4za415il+0x263de9 @ 0x15f3de9 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258428 registers.edi: 4258428 registers.eax: 0 registers.ebp: 4258456 registers.edx: 0 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258464	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x26452a @ 0x15f452a 4za415il+0x263de9 @ 0x15f3de9 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258428 registers.edi: 4258428 registers.eax: 0 registers.ebp: 4258456 registers.edx: 2 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258464	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x26452a @ 0x15f452a 4za415il+0x263de9 @ 0x15f3de9 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258428 registers.edi: 4258428 registers.eax: 0 registers.ebp: 4258456 registers.edx: 0 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258464	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x26452a @ 0x15f452a 4za415il+0x263de9 @ 0x15f3de9 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258428 registers.edi: 4258428 registers.eax: 0 registers.ebp: 4258456 registers.edx: 2 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258464	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x26452a @ 0x15f452a 4za415il+0x263de9 @ 0x15f3de9 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258428 registers.edi: 4258428 registers.eax: 0 registers.ebp: 4258456 registers.edx: 2 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258464	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x26452a @ 0x15f452a 4za415il+0x263de9 @ 0x15f3de9 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258428 registers.edi: 4258428 registers.eax: 0 registers.ebp: 4258456 registers.edx: 0 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258464	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25ab11 @ 0x15eab11 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 22768296 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 17170432 registers.esi: 21364736 registers.ecx: 21364736	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25ab11 @ 0x15eab11 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25ab11 @ 0x15eab11 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25aeb7 @ 0x15eaeb7 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 22768296 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 17170432 registers.esi: 21364736 registers.ecx: 0	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25aeb7 @ 0x15eaeb7 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 2 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25aeb7 @ 0x15eaeb7 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25aeb7 @ 0x15eaeb7 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b049 @ 0x15eb049 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 22768296 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 17170432 registers.esi: 21364736 registers.ecx: 0	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b049 @ 0x15eb049 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b049 @ 0x15eb049 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b049 @ 0x15eb049 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 2 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b049 @ 0x15eb049 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b049 @ 0x15eb049 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b049 @ 0x15eb049 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 2 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b216 @ 0x15eb216 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 22768296 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 17170432 registers.esi: 21364736 registers.ecx: 3761739076	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b216 @ 0x15eb216 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b216 @ 0x15eb216 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 2 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b216 @ 0x15eb216 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b216 @ 0x15eb216 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b216 @ 0x15eb216 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35d0 exception.instruction: ud2 exception.module: 4Za415Il.exe exception.exception_code: 0xc000001d exception.offset: 1783248 exception.address: 0x15435d0 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 2 registers.ebx: 22295995 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b216 @ 0x15eb216 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 4258340 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 22296038 registers.esi: 0 registers.ecx: 4258376	1
__exception__ Dec. 27, 2023, 7:42 a.m.	stacktrace: 4za415il+0x25b322 @ 0x15eb322 4za415il+0x263df6 @ 0x15f3df6 4za415il+0x35442d @ 0x16e442d exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 4za415il+0x1b35a5 exception.instruction: div eax exception.module: 4Za415Il.exe exception.exception_code: 0xc0000094 exception.offset: 1783205 exception.address: 0x15435a5 registers.esp: 4258340 registers.edi: 22768296 registers.eax: 0 registers.ebp: 4258368 registers.edx: 0 registers.ebx: 17170432 registers.esi: 21364736 registers.ecx: 3802956258	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET https://ipinfo.io/widget/demo/175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (50 out of 163 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 344064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01390000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c82000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7262b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72642000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7159a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 27, 2023, 7:42 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7326f000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Dec. 27, 2023, 7:42 a.m.	number_of_free_clusters: 3252172 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 27, 2023, 7:42 a.m.	number_of_free_clusters: 3252172 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 27, 2023, 7:42 a.m.	number_of_free_clusters: 3251676 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 27, 2023, 7:42 a.m.	number_of_free_clusters: 3251676 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 2329 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7aI8jZ57.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\4Za415Il.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zP1Tf60.exe
file	C:\Users\test22\AppData\Local\Temp\tempAVS4hIQkWXNf6nT\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6hm5pS0.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

Creates a suspicious process (4 events)

cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\6hm5pS0.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\7aI8jZ57.exe
file	C:\Users\test22\AppData\Local\Temp\tempAVS4hIQkWXNf6nT\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zP1Tf60.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\4Za415Il.exe

Executes one or more WMI queries (4 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_PhysicalMemory
wmi	SELECT * FROM Win32_LogicalDisk WHERE DeviceID = 'C:'

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 27, 2023, 7:42 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001fce00', u'virtual_address': u'0x0000c000', u'entropy': 7.985834470683731, u'name': u'.rsrc', u'virtual_size': u'0x001fd000'}

entropy

7.98583447068

description

A section with a high entropy has been found

entropy

0.984284332689

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 27, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000008c4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: AddressBook base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: Connection Manager base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: DirectDrawEx base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: EditPlus base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: ENTERPRISE base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: Fontcore base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: Google Chrome base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: IE40 base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: IE4Data base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: IE5BAKEX base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: IEData base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: MobileOptionPack base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: SchedulingAgent base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: WIC base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Dec. 27, 2023, 7:42 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x000008c4 key_handle: 0x000008c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Executes one or more WMI queries which can be used to identify virtual machines (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_LogicalDisk WHERE DeviceID = 'C:'
wmi	SELECT * FROM Win32_PhysicalMemory

Communicates with host for which no DNS query was performed (1 event)

host

193.233.132.62

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 27, 2023, 7:42 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

4Za415Il.exe tried to sleep 2728207 seconds, actually delayed analysis time by 2728207 seconds

Installs itself for autorun at Windows startup (8 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131	reg_value	C:\Users\test22\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Dec. 27, 2023, 7:42 a.m.	key_handle: 0x000008c8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

foxi.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All