Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 3, 2024, 7:18 a.m.	April 3, 2024, 7:26 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`a4702dad93dc851947aa6bd7b9652c46`
SHA256	`2cd378dd3e9c3ddb6196c7c8a9dc1c88ecf74b2371f1394bd01ff37857a8c7d5`
CRC32	`63B40CF6`
ssdeep	`24576:SyvFWZZO/TzAEuDtTVAxn+NZh0ocqB8J+zFX/DZCtkY:Tn+NZGolS+5/caY`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

sys.exe "C:\Users\test22\AppData\Local\Temp\sys.exe"
1020
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 HR" /sc HOURLY /rl HIGHEST
  2504
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 LG" /sc ONLOGON /rl HIGHEST
  2564
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e HR" /sc HOURLY /rl HIGHEST
  2792
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e LG" /sc ONLOGON /rl HIGHEST
  2852
- YaV8gLRiIlNUtsLgaT72.exe "C:\Users\test22\AppData\Local\Temp\heidiML2ALAQJwRqK\YaV8gLRiIlNUtsLgaT72.exe"
  2916

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166

IP Address	Status	Action
104.26.4.15	Active	Moloch
164.124.101.2	Active	Moloch
193.233.132.106	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 193.233.132.106:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.106:50500 -> 192.168.56.103:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 193.233.132.106:50500 -> 192.168.56.103:49165	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49165 -> 193.233.132.106:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 193.233.132.106:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 193.233.132.106:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 193.233.132.106:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.103:49168 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49187 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 193.233.132.106:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.106:50500 -> 192.168.56.103:49184	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.103:49185 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49185 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.106:50500 -> 192.168.56.103:49188	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.103:49188 -> 193.233.132.106:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 193.233.132.106:8081	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 193.233.132.106:8081	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 193.233.132.106:8081 -> 192.168.56.103:49180	2014819	ET INFO Packed Executable Download	Misc activity
TCP 193.233.132.106:8081 -> 192.168.56.103:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.132.106:8081 -> 192.168.56.103:49180	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 193.233.132.106:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 193.233.132.106:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 193.233.132.106:50500 -> 192.168.56.103:49165	2049660	ET MALWARE RisePro CnC Activity (Outbound)	A Network Trojan was detected
TCP 193.233.132.106:50500 -> 192.168.56.103:49165	2049660	ET MALWARE RisePro CnC Activity (Outbound)	A Network Trojan was detected
TCP 192.168.56.103:49185 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00
TLSv1 192.168.56.103:49187 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2024, 7:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2024, 7:19 a.m.			0	0
IsDebuggerPresent April 3, 2024, 7:19 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: SUCCESS: The scheduled task "MPGPH2123 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: SUCCESS: The scheduled task "MPGPH2123 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2024, 7:19 a.m.	buffer: SUCCESS: The scheduled task "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e LG" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2024, 7:19 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 3, 2024, 7:18 a.m.	process_identifier: 1020 region_size: 659456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:18 a.m.	process_identifier: 1020 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02140000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:18 a.m.	process_identifier: 1020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2024, 7:18 a.m.	process_identifier: 1020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77900000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:20 a.m.	process_identifier: 1020 region_size: 499712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:20 a.m.	process_identifier: 1020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2916 region_size: 659456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2916 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2024, 7:19 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77900000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:20 a.m.	process_identifier: 2916 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:20 a.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 3, 2024, 7:19 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 5022 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\igkpcodhieompeloncfnbekccinhapdb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Sync Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegll\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\heidiML2ALAQJwRqK\YaV8gLRiIlNUtsLgaT72.exe

Creates a suspicious process (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e HR" /sc HOURLY /rl HIGHEST

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\heidiML2ALAQJwRqK\YaV8gLRiIlNUtsLgaT72.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\heidiML2ALAQJwRqK\YaV8gLRiIlNUtsLgaT72.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 3, 2024, 7:19 a.m.	thread_identifier: 2508 thread_handle: 0x00000124 process_identifier: 2504 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000011c	1	1
CreateProcessInternalW April 3, 2024, 7:19 a.m.	thread_identifier: 2568 thread_handle: 0x0000012c process_identifier: 2564 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000128	1	1
CreateProcessInternalW April 3, 2024, 7:19 a.m.	thread_identifier: 2796 thread_handle: 0x00000598 process_identifier: 2792 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x0000059c	1	1
CreateProcessInternalW April 3, 2024, 7:19 a.m.	thread_identifier: 2856 thread_handle: 0x000005a4 process_identifier: 2852 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000005a0	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 events)

Time & API	Arguments	Status	Return
Process32NextW April 3, 2024, 7:19 a.m.	snapshot_handle: 0x0000045c process_name: pw.exe process_identifier: 1688	1	1
Process32NextW April 3, 2024, 7:19 a.m.	snapshot_handle: 0x0000045c process_name: SearchFilterHost.exe process_identifier: 1280	1	1
Process32NextW April 3, 2024, 7:19 a.m.	snapshot_handle: 0x0000045c process_name: svchost.exe process_identifier: 2256	1	1
Process32NextW April 3, 2024, 7:19 a.m.	snapshot_handle: 0x0000045c process_name: mscorsvw.exe process_identifier: 2284	1	1
Process32NextW April 3, 2024, 7:19 a.m.	snapshot_handle: 0x0000045c process_name: cmd.exe process_identifier: 2456	1	1
Process32NextW April 3, 2024, 7:19 a.m.	snapshot_handle: 0x0000045c process_name: conhost.exe process_identifier: 2464	1	1
Process32NextW April 3, 2024, 7:19 a.m.	snapshot_handle: 0x0000045c process_name: pw.exe process_identifier: 2488	1	1

An executable file was downloaded by the process sys.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile April 3, 2024, 7:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL $ø fà'Üàð@ðÿ@ `È8Y $bÔ.textdÚÜ``.datax ð à@À.rdata24ì@@.eh_fram<@ @@.bssä PÀ.idataÈ`0@À.CRT4p>@À.tls@@À.reloc8YZB@BÃ´&´&ì1Àf=@MZÇTPPÇPPPÇLPPu<@º@PE@tZ£PP¡`PPÀt<Ç$èøQèëQtPPèÖQ\PPèÁ=ùNtH1ÀÄÃfÇ$è¼QëÂf·Qfút=fúu¹vø1ÀÒÀéyÿÿÿvÇ$`®@è$£1ÀÄÃ¶ytTÿÿÿè1ÀÉÀéBÿÿÿ´&t&ì,¡HPPÇD$PP£PP¡ùNÇD$PPD$ÇD$PPÇ$PPèöPÄ,ÃfL$äðÿqüUåWVS1ÛQì(5àbPd¡xë´&f9ÇÇ$èÿÖìØð±=@PPÀuÞ¡DPP1Ûøq¡DPPÀÑÇPP¡DPPøfÛ¡ OÀtÇD$ÇD$Ç$ÿÐìèÇ$ ´@ÿÜbPì£xPPÇ$@èVJè¡5PP<µ<$è´PPPÁödWüÆMàUÜEävÃÆ$èàPx<$èuPFüKü\|$L$$èwPEä9ÃuÈMàUÜÊÇ PPèg¡PPcPD$¡PPD$¡PP$è½ PP£PPÉÌPPÒtseðY[^_]aüÃ´&¡DPP»øþÿÿÇ$è9O¡DPPøþÿÿÇD$pPÇ$pPè/OÇDPPÛ\|þÿÿ@PPéqþÿÿfèûN¡PPeðY[^_]aüÃ´&vÇDPPÇD$pPÇ$pPèÒNéþÿÿt&Âééþÿÿ$èñN´&fÇ`PPéqýÿÿÇ`PPéaýÿÿ request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a0c00', u'virtual_address': u'0x0004f000', u'entropy': 7.998618411402732, u'name': u'.data', u'virtual_size': u'0x000a0a78'}

entropy

7.9986184114

description

A section with a high entropy has been found

entropy

0.605461393597

description

Overall entropy of this PE file is high

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000045c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA April 3, 2024, 7:19 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000458 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (1 event)

host

193.233.132.106

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP2123	reg_value	C:\Users\test22\AppData\Local\RageMP2123\RageMP2123.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e	reg_value	C:\Users\test22\AppData\Local\AdobeUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\AdobeUpdaterV2123.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA April 3, 2024, 7:19 a.m.	key_handle: 0x00000458 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH2123\MPGPH2123.exe" /tn "MPGPH2123 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e\MSIUpdaterV2123.exe" /tn "MSIUpdaterV2123_d41d8cd98f00b204e9800998ecf8427e HR" /sc HOURLY /rl HIGHEST

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.RisePro.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	unsafe
Sangfor	Trojan.Win32.Agent.Vdn4
Cybereason	malicious.d93dc8
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
McAfee	Artemis!A4702DAD93DC
Kaspersky	UDS:DangerousObject.Multi.Generic
FireEye	Generic.mg.a4702dad93dc8519
Sophos	Mal/Generic-S
Kingsoft	Win32.PSWTroj.Undef.a
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	UDS:DangerousObject.Multi.Generic
BitDefenderTheta	Gen:NN.ZexaF.36802.cLW@a0NJdgj
SentinelOne	Static AI - Malicious PE
CrowdStrike	win/malicious_confidence_90% (W)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.233.132.106:80

sys.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All