Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 3, 2024, 7:39 a.m.	May 3, 2024, 7:43 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`51eb099e680eb872a3619c63edcfdc5a`
SHA256	`c49d2803464e2eecb118dc95776fabee0f3addd7ae31505c42a3bd839c973696`
CRC32	`81F453B4`
ssdeep	`49152:CGY5918NqwTEgTcQUEnurFnLTHLpWGBM/OS7xpJBKn8Q/UgVR:ThTPUumfM/bBBO3/UeR`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

lenin.exe "C:\Users\test22\AppData\Local\Temp\lenin.exe"
2668
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2908
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2968

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.26.5.15	Active	Moloch
147.45.47.93	Active	Moloch
164.124.101.2	Active	Moloch
34.117.186.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 147.45.47.93:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49168 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 147.45.47.93:58709 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 147.45.47.93:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 147.45.47.93:58709 -> 192.168.56.101:49165	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 147.45.47.93:58709	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 147.45.47.93:58709	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 147.45.47.93:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 147.45.47.93:58709	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 104.26.5.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	65:b1:27:2e:35:d2:f7:1f:20:04:c5:ca:ea:4e:7a:b4:69:6a:83:00

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 3, 2024, 7:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 7:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 7:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (16 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:39 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:40 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:40 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:40 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:40 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:40 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:40 a.m.			0	0
IsDebuggerPresent May 3, 2024, 7:40 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 3, 2024, 7:39 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW May 3, 2024, 7:39 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 3, 2024, 7:40 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	dsnbtpoh
section	zobzlcfs
section	.taggant

One or more processes crashed (50 out of 115 events)

Time & API	Arguments	Status
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: lenin+0x44f0b9 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 4518073 exception.address: 0x128f0b9 registers.esp: 4127548 registers.edi: 0 registers.eax: 1 registers.ebp: 4127564 registers.edx: 21196800 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 81 c2 b4 1b 6b 4f e9 fc 02 00 00 89 2c 24 50 exception.symbol: lenin+0x19641b exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1664027 exception.address: 0xfd641b registers.esp: 4127512 registers.edi: 1968898280 registers.eax: 26527 registers.ebp: 4006625300 registers.edx: 16604609 registers.ebx: 16604183 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 56 55 89 04 24 89 0c 24 68 01 57 3b 35 59 e9 exception.symbol: lenin+0x195fe3 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1662947 exception.address: 0xfd5fe3 registers.esp: 4127516 registers.edi: 1968898280 registers.eax: 3394005079 registers.ebp: 4006625300 registers.edx: 16607692 registers.ebx: 16604183 registers.esi: 0 registers.ecx: 1969094656	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 81 c1 b5 59 fb 3d 56 c7 04 24 9d 34 e6 32 89 exception.symbol: lenin+0x196e03 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1666563 exception.address: 0xfd6e03 registers.esp: 4127512 registers.edi: 1968898280 registers.eax: 31125 registers.ebp: 4006625300 registers.edx: 237398862 registers.ebx: 1649209466 registers.esi: 0 registers.ecx: 16608139	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 50 e9 eb f5 ff ff ff 34 24 5b 50 89 e0 05 04 exception.symbol: lenin+0x1975ce exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 1668558 exception.address: 0xfd75ce registers.esp: 4127516 registers.edi: 1968898280 registers.eax: 31125 registers.ebp: 4006625300 registers.edx: 0 registers.ebx: 1649209466 registers.esi: 235753 registers.ecx: 16610812	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 57 e9 e9 05 00 00 ff 34 24 58 56 89 e6 e9 e6 exception.symbol: lenin+0x320d40 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3280192 exception.address: 0x1160d40 registers.esp: 4127512 registers.edi: 16643786 registers.eax: 32114 registers.ebp: 4006625300 registers.edx: 2130566132 registers.ebx: 18221784 registers.esi: 18205105 registers.ecx: 750	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 1a 84 7e 77 81 0c 24 18 7f fb 73 exception.symbol: lenin+0x3212a2 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3281570 exception.address: 0x11612a2 registers.esp: 4127516 registers.edi: 16643786 registers.eax: 32114 registers.ebp: 4006625300 registers.edx: 2130566132 registers.ebx: 18253898 registers.esi: 4294937676 registers.ecx: 628457	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb e9 2c 00 00 00 01 d9 81 c1 96 f5 d9 7f e9 00 exception.symbol: lenin+0x323581 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3290497 exception.address: 0x1163581 registers.esp: 4127512 registers.edi: 16643786 registers.eax: 18229769 registers.ebp: 4006625300 registers.edx: 2086012395 registers.ebx: 18253898 registers.esi: 4294937676 registers.ecx: 2091565907	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb e9 f8 01 00 00 81 ec 04 00 00 00 89 04 24 89 exception.symbol: lenin+0x3230b4 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3289268 exception.address: 0x11630b4 registers.esp: 4127516 registers.edi: 0 registers.eax: 18232978 registers.ebp: 4006625300 registers.edx: 1549541099 registers.ebx: 18253898 registers.esi: 4294937676 registers.ecx: 2091565907	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 53 bb 5a d7 6d 5f 56 be d4 e7 cf 65 e9 29 02 exception.symbol: lenin+0x328863 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3311715 exception.address: 0x1168863 registers.esp: 4127516 registers.edi: 4294944752 registers.eax: 1259 registers.ebp: 4006625300 registers.edx: 2163008 registers.ebx: 18233004 registers.esi: 18278109 registers.ecx: 14288	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 89 2c 24 89 14 24 e9 exception.symbol: lenin+0x330686 exception.instruction: in eax, dx exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3344006 exception.address: 0x1170686 registers.esp: 4127508 registers.edi: 4294944752 registers.eax: 1447909480 registers.ebp: 4006625300 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 18267551 registers.ecx: 20	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: lenin+0x32e57e exception.address: 0x116e57e exception.module: lenin.exe exception.exception_code: 0xc000001d exception.offset: 3335550 registers.esp: 4127508 registers.edi: 4294944752 registers.eax: 1 registers.ebp: 4006625300 registers.edx: 22104 registers.ebx: 0 registers.esi: 18267551 registers.ecx: 20	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 31 36 2d 12 01 exception.symbol: lenin+0x32f8f8 exception.instruction: in eax, dx exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3340536 exception.address: 0x116f8f8 registers.esp: 4127508 registers.edi: 4294944752 registers.eax: 1447909480 registers.ebp: 4006625300 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18267551 registers.ecx: 10	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 50 e8 03 00 00 00 20 58 c3 58 exception.symbol: lenin+0x3345f9 exception.instruction: int 1 exception.module: lenin.exe exception.exception_code: 0xc0000005 exception.offset: 3360249 exception.address: 0x11745f9 registers.esp: 4127476 registers.edi: 0 registers.eax: 4127476 registers.ebp: 4006625300 registers.edx: 272630336 registers.ebx: 18302786 registers.esi: 869663337 registers.ecx: 18302435	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 56 89 2c 24 bd 7e 6e e7 29 c1 ed 04 c1 ed 05 exception.symbol: lenin+0x335382 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3363714 exception.address: 0x1175382 registers.esp: 4127516 registers.edi: 4294944752 registers.eax: 29224 registers.ebp: 4006625300 registers.edx: 6379 registers.ebx: 0 registers.esi: 1126488280 registers.ecx: 18306613	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 56 81 ec 04 00 00 00 89 1c 24 68 a4 40 15 5f exception.symbol: lenin+0x33ce4d exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3395149 exception.address: 0x117ce4d registers.esp: 4127512 registers.edi: 4294944752 registers.eax: 29621 registers.ebp: 4006625300 registers.edx: 654654 registers.ebx: 18334643 registers.esi: 1126488280 registers.ecx: 18306674	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb e9 d7 f9 ff ff 83 c4 04 81 c1 3e 60 ff 2f 01 exception.symbol: lenin+0x33cba9 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3394473 exception.address: 0x117cba9 registers.esp: 4127516 registers.edi: 4294944752 registers.eax: 29621 registers.ebp: 4006625300 registers.edx: 654654 registers.ebx: 18364264 registers.esi: 1126488280 registers.ecx: 18306674	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb e9 25 fe ff ff 81 c7 04 00 00 00 81 c7 04 00 exception.symbol: lenin+0x33c62d exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3393069 exception.address: 0x117c62d registers.esp: 4127516 registers.edi: 4294940512 registers.eax: 29621 registers.ebp: 4006625300 registers.edx: 654654 registers.ebx: 18364264 registers.esi: 604292950 registers.ecx: 18306674	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 50 89 e0 57 e9 86 00 00 00 5c 68 ad 77 56 68 exception.symbol: lenin+0x348b4b exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3443531 exception.address: 0x1188b4b registers.esp: 4127504 registers.edi: 16602302 registers.eax: 28128 registers.ebp: 4006625300 registers.edx: 6 registers.ebx: 19292831 registers.esi: 1968968720 registers.ecx: 18384654	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb e9 0c fd ff ff 5e 50 5b ff 34 24 e9 d4 01 00 exception.symbol: lenin+0x348a20 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3443232 exception.address: 0x1188a20 registers.esp: 4127508 registers.edi: 16602302 registers.eax: 28128 registers.ebp: 4006625300 registers.edx: 6 registers.ebx: 19292831 registers.esi: 1968968720 registers.ecx: 18412782	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 55 51 e9 c1 03 00 00 05 04 00 00 00 e9 b4 fc exception.symbol: lenin+0x348adc exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3443420 exception.address: 0x1188adc registers.esp: 4127508 registers.edi: 16602302 registers.eax: 4117772904 registers.ebp: 4006625300 registers.edx: 4294942192 registers.ebx: 19292831 registers.esi: 1968968720 registers.ecx: 18412782	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 55 68 71 67 6b 7f ff 34 24 5d 83 c4 04 81 c5 exception.symbol: lenin+0x349509 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3446025 exception.address: 0x1189509 registers.esp: 4127508 registers.edi: 561897 registers.eax: 25908 registers.ebp: 4006625300 registers.edx: 4294942192 registers.ebx: 0 registers.esi: 1968968720 registers.ecx: 18390452	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 50 68 40 f8 75 08 89 0c 24 e9 5c 01 00 00 81 exception.symbol: lenin+0x35075a exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3475290 exception.address: 0x119075a registers.esp: 4127508 registers.edi: 4294938072 registers.eax: 32326 registers.ebp: 4006625300 registers.edx: 2130566132 registers.ebx: 16717 registers.esi: 84201 registers.ecx: 18449367	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 55 e9 b8 00 00 00 58 87 34 24 e9 5a f8 ff ff exception.symbol: lenin+0x35b5ef exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3519983 exception.address: 0x119b5ef registers.esp: 4127508 registers.edi: 18455649 registers.eax: 31738 registers.ebp: 4006625300 registers.edx: 2130566132 registers.ebx: 18455649 registers.esi: 0 registers.ecx: 18491493	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 6e 94 a0 24 e9 7d 07 00 00 57 51 exception.symbol: lenin+0x35b0d6 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3518678 exception.address: 0x119b0d6 registers.esp: 4127508 registers.edi: 116969 registers.eax: 31738 registers.ebp: 4006625300 registers.edx: 2130566132 registers.ebx: 18455649 registers.esi: 4294938724 registers.ecx: 18491493	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 81 c3 e1 4c af 4f 50 e9 f0 00 00 00 53 bb fe exception.symbol: lenin+0x370f9e exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3608478 exception.address: 0x11b0f9e registers.esp: 4127472 registers.edi: 18529113 registers.eax: 27568 registers.ebp: 4006625300 registers.edx: 2130566132 registers.ebx: 18547885 registers.esi: 18542362 registers.ecx: 4185456640	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 53 e9 01 08 00 00 8f 04 24 8b 24 24 81 eb a5 exception.symbol: lenin+0x37076e exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3606382 exception.address: 0x11b076e registers.esp: 4127476 registers.edi: 322689 registers.eax: 27568 registers.ebp: 4006625300 registers.edx: 0 registers.ebx: 18551321 registers.esi: 18542362 registers.ecx: 4185456640	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 50 83 ec 04 89 04 24 c7 04 24 b5 97 e7 74 e9 exception.symbol: lenin+0x371f58 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3612504 exception.address: 0x11b1f58 registers.esp: 4127476 registers.edi: 2634110560 registers.eax: 18581084 registers.ebp: 4006625300 registers.edx: 4294941404 registers.ebx: 18551321 registers.esi: 18542362 registers.ecx: 635865249	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 68 79 0b c3 57 89 04 24 68 7a 69 37 5d e9 cf exception.symbol: lenin+0x372746 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3614534 exception.address: 0x11b2746 registers.esp: 4127476 registers.edi: 18582915 registers.eax: 26515 registers.ebp: 4006625300 registers.edx: 4294939390 registers.ebx: 18555999 registers.esi: 18555223 registers.ecx: 0	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 51 e9 62 fb ff ff 8b 24 24 e9 f0 f8 ff ff 52 exception.symbol: lenin+0x372ea9 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3616425 exception.address: 0x11b2ea9 registers.esp: 4127476 registers.edi: 18558979 registers.eax: 26515 registers.ebp: 4006625300 registers.edx: 0 registers.ebx: 18555999 registers.esi: 18555223 registers.ecx: 943562125	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb e9 2a 01 00 00 81 eb 45 1f 87 72 89 da 5b 81 exception.symbol: lenin+0x373b43 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3619651 exception.address: 0x11b3b43 registers.esp: 4127472 registers.edi: 18558979 registers.eax: 29521 registers.ebp: 4006625300 registers.edx: 0 registers.ebx: 16611409 registers.esi: 18559672 registers.ecx: 540653876	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 57 56 e9 00 00 00 00 be ff b7 bf 7f e9 00 00 exception.symbol: lenin+0x373e09 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3620361 exception.address: 0x11b3e09 registers.esp: 4127476 registers.edi: 18558979 registers.eax: 44777 registers.ebp: 4006625300 registers.edx: 0 registers.ebx: 16611409 registers.esi: 18562613 registers.ecx: 0	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 68 12 64 44 23 e9 93 01 00 00 ff 34 24 5a 81 exception.symbol: lenin+0x378435 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3638325 exception.address: 0x11b8435 registers.esp: 4127476 registers.edi: 18608902 registers.eax: 30497 registers.ebp: 4006625300 registers.edx: 0 registers.ebx: 65786 registers.esi: 18562613 registers.ecx: 1971716238	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 57 68 00 66 ad 6e 5f c1 e7 03 c1 ef 07 68 0a exception.symbol: lenin+0x378410 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3638288 exception.address: 0x11b8410 registers.esp: 4127476 registers.edi: 18608902 registers.eax: 30497 registers.ebp: 4006625300 registers.edx: 4294939656 registers.ebx: 65786 registers.esi: 24811 registers.ecx: 1971716238	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 81 e9 90 41 bf 75 81 c1 e6 8e f7 5b e9 ad 00 exception.symbol: lenin+0x37ad08 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3648776 exception.address: 0x11bad08 registers.esp: 4127472 registers.edi: 18608902 registers.eax: 33004 registers.ebp: 4006625300 registers.edx: 114985854 registers.ebx: 1400507106 registers.esi: 24811 registers.ecx: 18589194	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 68 d6 46 2a 61 89 34 24 c7 04 24 37 3a ef 5b exception.symbol: lenin+0x37b137 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3649847 exception.address: 0x11bb137 registers.esp: 4127476 registers.edi: 18608902 registers.eax: 33004 registers.ebp: 4006625300 registers.edx: 114985854 registers.ebx: 1400507106 registers.esi: 24811 registers.ecx: 18622198	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 56 68 6b cf 74 67 8b 34 24 83 c4 04 c1 ee 03 exception.symbol: lenin+0x37af09 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3649289 exception.address: 0x11baf09 registers.esp: 4127476 registers.edi: 0 registers.eax: 81129 registers.ebp: 4006625300 registers.edx: 114985854 registers.ebx: 1400507106 registers.esi: 24811 registers.ecx: 18592266	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 0f 55 89 04 24 50 c7 04 24 a5 42 exception.symbol: lenin+0x37dab8 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3660472 exception.address: 0x11bdab8 registers.esp: 4127476 registers.edi: 18632006 registers.eax: 30988 registers.ebp: 4006625300 registers.edx: 24811 registers.ebx: 4024150037 registers.esi: 18599845 registers.ecx: 1872732580	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 57 51 b9 6c b0 e5 79 bf b7 f4 0e 5f 31 cf 8b exception.symbol: lenin+0x37da0f exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3660303 exception.address: 0x11bda0f registers.esp: 4127476 registers.edi: 18632006 registers.eax: 30988 registers.ebp: 4006625300 registers.edx: 24811 registers.ebx: 604292946 registers.esi: 18599845 registers.ecx: 4294938868	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 55 bd 0a 81 56 3c e9 da f9 ff exception.symbol: lenin+0x38f9c5 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3733957 exception.address: 0x11cf9c5 registers.esp: 4127476 registers.edi: 18636922 registers.eax: 30206 registers.ebp: 4006625300 registers.edx: 1629832 registers.ebx: 18636890 registers.esi: 18703599 registers.ecx: 4185456640	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 df 91 37 34 89 0c 24 89 e1 e9 38 exception.symbol: lenin+0x38eff4 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3731444 exception.address: 0x11ceff4 registers.esp: 4127476 registers.edi: 18636922 registers.eax: 0 registers.ebp: 4006625300 registers.edx: 1629832 registers.ebx: 3361305192 registers.esi: 18676603 registers.ecx: 4185456640	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 52 51 50 c7 04 24 eb 68 73 1f 89 1c 24 51 b9 exception.symbol: lenin+0x391ebd exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3743421 exception.address: 0x11d1ebd registers.esp: 4127476 registers.edi: 4023132270 registers.eax: 30967 registers.ebp: 4006625300 registers.edx: 1629832 registers.ebx: 115460 registers.esi: 18713940 registers.ecx: 20310789	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 e9 b9 02 00 00 5e exception.symbol: lenin+0x391caa exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3742890 exception.address: 0x11d1caa registers.esp: 4127476 registers.edi: 4023132270 registers.eax: 4294939776 registers.ebp: 4006625300 registers.edx: 604292949 registers.ebx: 115460 registers.esi: 18713940 registers.ecx: 20310789	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 42 ea f6 51 89 14 24 68 b0 c9 bb exception.symbol: lenin+0x3a1c23 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3808291 exception.address: 0x11e1c23 registers.esp: 4127476 registers.edi: 18774869 registers.eax: 26444 registers.ebp: 4006625300 registers.edx: 1629832 registers.ebx: 1971716070 registers.esi: 4178184 registers.ecx: 4185456640	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 c7 04 24 90 18 f7 exception.symbol: lenin+0x3a1b31 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3808049 exception.address: 0x11e1b31 registers.esp: 4127476 registers.edi: 18774869 registers.eax: 4294943524 registers.ebp: 4006625300 registers.edx: 1629832 registers.ebx: 1971716070 registers.esi: 2809442664 registers.ecx: 4185456640	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 2d 86 48 7d 5d 05 01 e6 7e 76 03 04 24 2d 01 exception.symbol: lenin+0x3a9a21 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3840545 exception.address: 0x11e9a21 registers.esp: 4127472 registers.edi: 18774869 registers.eax: 18780148 registers.ebp: 4006625300 registers.edx: 9 registers.ebx: 1984560879 registers.esi: 4011539647 registers.ecx: 10	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 51 e9 09 fe ff ff 81 ed b9 4e ff 5f 81 c5 82 exception.symbol: lenin+0x3a9788 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3839880 exception.address: 0x11e9788 registers.esp: 4127476 registers.edi: 18774869 registers.eax: 18782781 registers.ebp: 4006625300 registers.edx: 0 registers.ebx: 13756757 registers.esi: 4011539647 registers.ecx: 10	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 81 e9 20 12 c9 7d 68 13 ee 83 64 89 2c 24 bd exception.symbol: lenin+0x3aa6c2 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3843778 exception.address: 0x11ea6c2 registers.esp: 4127472 registers.edi: 18774869 registers.eax: 28060 registers.ebp: 4006625300 registers.edx: 853767968 registers.ebx: 546938280 registers.esi: 4011539647 registers.ecx: 18783187	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 55 68 f2 f5 1e 77 ff 34 24 5d 81 c4 04 00 00 exception.symbol: lenin+0x3a9df8 exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3841528 exception.address: 0x11e9df8 registers.esp: 4127476 registers.edi: 80171349 registers.eax: 0 registers.ebp: 4006625300 registers.edx: 853767968 registers.ebx: 546938280 registers.esi: 4011539647 registers.ecx: 18786047	1
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: fb 57 83 ec 04 89 1c 24 bb 5a 18 3a 2f e9 40 fd exception.symbol: lenin+0x3b08fd exception.instruction: sti exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3868925 exception.address: 0x11f08fd registers.esp: 4127472 registers.edi: 3927380289 registers.eax: 32095 registers.ebp: 4006625300 registers.edx: 2130566132 registers.ebx: 67405146 registers.esi: 1995571212 registers.ecx: 18808443	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://db-ip.com/demo/home.php?s=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (44 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 7:39 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

lenin.exe tried to sleep 262 seconds, actually delayed analysis time by 262 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 3, 2024, 7:40 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 2813 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\igkpcodhieompeloncfnbekccinhapdb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Sync Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\agoakfejjabomempkjlepdflaleeobhb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 3, 2024, 7:39 a.m.	thread_identifier: 2912 thread_handle: 0x000001bc process_identifier: 2908 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c0	1	1	0
CreateProcessInternalW May 3, 2024, 7:39 a.m.	thread_identifier: 2972 thread_handle: 0x000001c8 process_identifier: 2968 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001c4	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 3, 2024, 7:40 a.m.	snapshot_handle: 0x000004cc process_name: lenin.exe process_identifier: 2668	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x000aa000', u'virtual_address': u'0x00001000', u'entropy': 7.924272737726842, u'name': u' \\x00 ', u'virtual_size': u'0x00186000'}

entropy

7.92427273773

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001600', u'virtual_address': u'0x00187000', u'entropy': 7.706846537851598, u'name': u'.rsrc', u'virtual_size': u'0x0000b2a0'}

entropy

7.70684653785

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a6e00', u'virtual_address': u'0x0044f000', u'entropy': 7.913749098306294, u'name': u'dsnbtpoh', u'virtual_size': u'0x001a7000'}

entropy

7.91374909831

description

A section with a high entropy has been found

entropy

0.995602094241

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004cc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004dc options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA May 3, 2024, 7:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000004f0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Communicates with host for which no DNS query was performed (1 event)

host

147.45.47.93

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (48 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 3, 2024, 7:40 a.m.	class_name: pediy06 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004ec regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA May 3, 2024, 7:40 a.m.	key_handle: 0x000004f0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 3, 2024, 7:39 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 89 2c 24 89 14 24 e9 exception.symbol: lenin+0x330686 exception.instruction: in eax, dx exception.module: lenin.exe exception.exception_code: 0xc0000096 exception.offset: 3344006 exception.address: 0x1170686 registers.esp: 4127508 registers.edi: 4294944752 registers.eax: 1447909480 registers.ebp: 4006625300 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 18267551 registers.ecx: 20	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
ALYac	Gen:Variant.Zusy.545972
Cylance	unsafe
VIPRE	Gen:Variant.Zusy.545972
Sangfor	Suspicious.Win32.Save.a
BitDefender	Gen:Variant.Zusy.545972
K7GW	Trojan ( 005376ae1 )
K7AntiVirus	Trojan ( 005376ae1 )
Arcabit	Trojan.Zusy.D854B4
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	VHO:Trojan.Win32.Convagent.gen
MicroWorld-eScan	Gen:Variant.Zusy.545972
Emsisoft	Gen:Variant.Zusy.545972 (B)
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.51eb099e680eb872
Google	Detected
MAX	malware (ai score=84)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/RisePro.RP!MTB
ZoneAlarm	VHO:Trojan.Win32.Convagent.gen
GData	Gen:Variant.Zusy.545972
Varist	W32/RisePro.H.gen!Eldorado
AhnLab-V3	Trojan/Win.RisePro.R646871
BitDefenderTheta	Gen:NN.ZexaF.36804.vE0aa0KuHGfk
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack.Themida
Panda	Trj/Genetic.gen
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.121218.susgen
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml

lenin.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All